query dropping vs. returning nxdomain
mcr at sandelman.ottawa.on.ca
Tue Mar 7 20:18:37 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "paul" == paul <paul at vix.com> writes:
paul> i think that BIND, when a source address fails to match the
paul> allow-query ACL, should have the option of "just drop", rather
paul> than sending DNS-REFUSED.
May I offer a compromise... rate limit number of responses for things
that are administratively denied.
Ideally, to a given destination, but I'd be happy if it was all
destinations. That way, if I'm trying to debug a machine that is
misconfigured (but not otherwise under attack), I'm likely to get a
reply, but there won't be the amplication of bytes or packets effect.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the bind-workers