query dropping vs. returning nxdomain

paul at vix.com paul at vix.com
Tue Mar 7 15:06:53 UTC 2006

i'm moving a dns-operations at lists.oarci.net thread over here to
bind-workers at isc.org, because it concerns a change to BIND that is
so non-obvious that marka and i are seeing it oppositely :-)...

# > Would it generally be considered poor form to drop queries you do 
# > not want to answer? Perhaps not only queries that would return 
# > NXDOMAIN, but also queries that maybe administratively you do not 
# > wish to answer.
# 	I don't look forward to debugging a world where queries are
# 	just dropped.  There is too much of that with EDNS queries
# 	to DNS servers.
# 	Misconfigurations happen and turning them all into "timeout"
# 	is not going to be fun.

and yet, that's how it's got to be.  as i trace and study DDoS attacks
involving spoofed-source packets from bots toward reflectors and then
responses from reflectors toward actual victims, i find that even if
the reflector does not amplify (for example, sends back SERVFAIL or an
ICMP rather than a 4X TXT EDNS answer), it's still a very painful attack
and it's still pretty much impossible to trace.

when someone shields their reflectors (for example, their recursive name
servers) using a firewall, they will generally configure the firewall to
"just drop" rather than "reject with ICMP", and this is the reason.

i think that BIND, when a source address fails to match the allow-query
ACL, should have the option of "just drop", rather than sending DNS-REFUSED.

More information about the bind-workers mailing list