allow-query does not seem to be working
lists+isc.org at elitists.org
Mon Aug 8 19:59:51 UTC 2016
Thanks for the info. Also I'll have to note that I completely missed that
the "offending IP" is one of the .uk root servers so the next logical
conclusion is I've probably got a box in one of my environments driving an
amplification attack of some sort or something at those IPs that I need to
figure out. Sorry for the bother and thanks for the feedback. Much
On Mon, Aug 8, 2016 at 10:51 AM, Ray Bellis <ray at isc.org> wrote:
> On 08/08/2016 18:43, Darcy Kevin (FCA) wrote:
> > As already noted, allow-query will cause you to send back a REFUSED
> > response. That’s sort of the whole point of the REFUSED RCODE.
> > If you want to not send back any response **whatsoever**, then take a
> > look at the “blackhole” statement, but, honestly, this kind of “drop”
> > function may, depending on network topology, be more efficiently
> > performed in your firewall or IDS/IPS.
> > Be aware that a client that doesn’t get a response may retry the query,
> > so simply “dropping” queries may ultimately prove counter-productive.
> and also see Mark Andrew's Internet Draft on this very topic:
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users