allow-query does not seem to be working

Frank Even lists+isc.org at elitists.org
Mon Aug 8 19:59:51 UTC 2016


Thanks for the info.  Also I'll have to note that I completely missed that
the "offending IP" is one of the .uk root servers so the next logical
conclusion is I've probably got a box in one of my environments driving an
amplification attack of some sort or something at those IPs that I need to
figure out.  Sorry for the bother and thanks for the feedback.  Much
appreciated.

On Mon, Aug 8, 2016 at 10:51 AM, Ray Bellis <ray at isc.org> wrote:

> On 08/08/2016 18:43, Darcy Kevin (FCA) wrote:
> > As already noted, allow-query will cause you to send back a REFUSED
> > response. That’s sort of the whole point of the REFUSED RCODE.
> >
> >
> >
> > If you want to not send back any response **whatsoever**, then take a
> > look at the “blackhole” statement, but, honestly, this kind of “drop”
> > function may, depending on network topology, be more efficiently
> > performed in your firewall or IDS/IPS.
> >
> >
> >
> > Be aware that a client that doesn’t get a response may retry the query,
> > so simply “dropping” queries may ultimately prove counter-productive.
>
> and also see Mark Andrew's Internet Draft on this very topic:
>
> https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03
>
> Ray
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160808/e78616b6/attachment.html>


More information about the bind-users mailing list