query dropping vs. returning nxdomain
brad at stop.mail-abuse.org
Tue Mar 7 15:50:34 UTC 2006
At 3:06 PM +0000 2006-03-07, paul at vix.com wrote:
> when someone shields their reflectors (for example, their recursive name
> servers) using a firewall, they will generally configure the firewall to
> "just drop" rather than "reject with ICMP", and this is the reason.
Agreed. Look at the > 90% (I think?) garbage traffic that the
root nameservers are seeing from RFC-1918 addresses where the
responses are fundamentally unroutable to the sender. It doesn't
require malice or active work on the part of an attacker to create
such situations -- simple misconfiguration will do just fine.
While there are particular pieces of software out there that
ignore requests for any questions where they don't know the answer
(and this drives me nuts), there simply is no other choice but to
allow servers to drop/ignore certain queries that they don't want to
answer (for whatever reason).
If nothing else, it just looks like you're across a very lossy
link, which is something that the DNS is supposed to be able to deal
That said, I think it would be nice if we could find a
non-amplifying way to actively respond negatively to queries we don't
want to answer, and ICMP might be a good choice. At least give
people the option of being able to actively respond in a
non-amplifying way, as well as the option of turning that off and
going with pure drop/ignore.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the bind-workers