Best allow-query setting on an authoritative-only nameserver

Peter Koch pk at techfak.uni-bielefeld.de
Wed Apr 4 09:07:37 UTC 2007


Kevin Darcy wrote:

> Hmmm... A 20-to-1 ratio doesn't exactly make one a prime target for DoS 
> amplification. Not when there are folks who seem to have confused DNS 
> with a generic information repository and have 4Kb+ TXT-record responses 
> available from publically-querieable zones.

the difference is that these TXT (or DNSKEY, RRSIG, NAPTR, ...) RRSets need
to be located first and treated per authoritative server. "." is known to
be available at (too) many servers already.  REFUSED is fine, but you need to
track log file growth. It also helps finding reasons for unsolicited
queries (lame delegations or other).

-Peter



More information about the bind-users mailing list