Finer control over REFUSED, e.g. root referrals
Petr Špaček
pspacek at isc.org
Mon Sep 8 14:40:08 UTC 2025
On 08. 09. 25 16:27, Michael Richardson wrote:
>
> Ondřej Surý <ondrej at isc.org> wrote:
> > I can definitely say this is not going to be implemented and nobody should.
>
> > Not returning answer is a protocol violation that can lead to DNS
> > spoofing window being much larger.
>
> Surely I'm allowed to *not* run a DNS server on an IP address, and dropping
> replies surely fits into that space :-)
>
> > There are also servers like BIND 9
> > that maintain a state per server/IP address and an attacker can point
> > her domain name to your server and use this to manipulate the remote
> > server state by asking for such name at the victim resolver.
>
> Yes, that's an interesting concern.
> It might be worth the risk.
See
https://dl.acm.org/doi/pdf/10.1145/3576915.3616647
and decide for your setup.
--
Petr Špaček
More information about the bind-users
mailing list