query dropping vs. returning nxdomain

Brad Knowles brad at stop.mail-abuse.org
Tue Mar 7 15:50:34 UTC 2006

At 3:06 PM +0000 2006-03-07, paul at vix.com wrote:

>  when someone shields their reflectors (for example, their recursive name
>  servers) using a firewall, they will generally configure the firewall to
>  "just drop" rather than "reject with ICMP", and this is the reason.

	Agreed.  Look at the > 90% (I think?) garbage traffic that the 
root nameservers are seeing from RFC-1918 addresses where the 
responses are fundamentally unroutable to the sender.  It doesn't 
require malice or active work on the part of an attacker to create 
such situations -- simple misconfiguration will do just fine.

	While there are particular pieces of software out there that 
ignore requests for any questions where they don't know the answer 
(and this drives me nuts), there simply is no other choice but to 
allow servers to drop/ignore certain queries that they don't want to 
answer (for whatever reason).

	If nothing else, it just looks like you're across a very lossy 
link, which is something that the DNS is supposed to be able to deal 

	That said, I think it would be nice if we could find a 
non-amplifying way to actively respond negatively to queries we don't 
want to answer, and ICMP might be a good choice.  At least give 
people the option of being able to actively respond in a 
non-amplifying way, as well as the option of turning that off and 
going with pure drop/ignore.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the bind-workers mailing list