query dropping vs. returning nxdomain
paul at vix.com
paul at vix.com
Tue Mar 7 15:06:53 UTC 2006
i'm moving a dns-operations at lists.oarci.net thread over here to
bind-workers at isc.org, because it concerns a change to BIND that is
so non-obvious that marka and i are seeing it oppositely :-)...
# > Would it generally be considered poor form to drop queries you do
# > not want to answer? Perhaps not only queries that would return
# > NXDOMAIN, but also queries that maybe administratively you do not
# > wish to answer.
# I don't look forward to debugging a world where queries are
# just dropped. There is too much of that with EDNS queries
# to DNS servers.
# Misconfigurations happen and turning them all into "timeout"
# is not going to be fun.
and yet, that's how it's got to be. as i trace and study DDoS attacks
involving spoofed-source packets from bots toward reflectors and then
responses from reflectors toward actual victims, i find that even if
the reflector does not amplify (for example, sends back SERVFAIL or an
ICMP rather than a 4X TXT EDNS answer), it's still a very painful attack
and it's still pretty much impossible to trace.
when someone shields their reflectors (for example, their recursive name
servers) using a firewall, they will generally configure the firewall to
"just drop" rather than "reject with ICMP", and this is the reason.
i think that BIND, when a source address fails to match the allow-query
ACL, should have the option of "just drop", rather than sending DNS-REFUSED.
More information about the bind-workers