query dropping vs. returning nxdomain
Michael Richardson
mcr at sandelman.ottawa.on.ca
Tue Mar 7 20:18:37 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "paul" == paul <paul at vix.com> writes:
paul> i think that BIND, when a source address fails to match the
paul> allow-query ACL, should have the option of "just drop", rather
paul> than sending DNS-REFUSED.
May I offer a compromise... rate limit number of responses for things
that are administratively denied.
Ideally, to a given destination, but I'd be happy if it was all
destinations. That way, if I'm trying to debug a machine that is
misconfigured (but not otherwise under attack), I'm likely to get a
reply, but there won't be the amplication of bytes or packets effect.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRA3qmYCLcPvd0N1lAQLJEwf/ZUx6ocz1r6eQykDB1o27Qg4iUiDNFgrj
JSha1DPP4zTKojvFuO7ofGYqe5dNqOEoOX9/wjX2EWXV2wqj3uvUR/FP9upQS6dQ
qPkhH/PY4TDwpgdo1eA7ga6iE7GKbim+XhohIi9+2Aa+NHQ8ETbmtUXGbhW+18ht
I5axB+ot6Sh/LVlyByzTVsMhgK/G8Q/WAIIQzuxEvCxUFtvGC455Zv3HtZV8uza6
vUMwuxl+wys8HvH4BpXwTDCtfavF7CbxJy+Uu8kDjPnu4NbNHQbdRbJFY9klqIXq
Y6ZrpGhPCQO5jhmGNv3FEUo4zpqomIBCmrwklb964Wl6Nb9aT0VWsQ==
=lfnZ
-----END PGP SIGNATURE-----
More information about the bind-workers
mailing list