nanog mailing list archives
Re: DNS Blocking
From: Paul Vixie <vixie () vix com>
Date: 19 Aug 2004 23:20:22 +0000
suresh () outblaze com (Suresh Ramasubramanian) writes:
and you're done. any query that anyone sends to your server for that zone will be sent something that will hurt them. eventually they will realize that it's hurting them, and they will stop.yes but you pointed out before, deploying this would not be a good idea when the queries are coming in from spoofed source addresses .. the best thing for that would be to filter these out.
someone else pointed that out. i don't agree. you can send back three things. icmp-unreach (if there's no nameserver running where the bogus NS+A is pointing); or servfail (or upward delegation) if there's a name server running where the bogus NS+A points but it does not serve the zone; or harmful garbage designed to shift the pain back toward the person who pointed the bad traffic at you in the first place. it's possible that with spoofed-source, these three alternatives are interchangeable. it's definite that filtering out spoofed-source is the best thing to do, but since this is way harder to do as a recipient than as a sender, it's not a realistic alternative to running a dns server with deliberately bad zone data. -- Paul Vixie
Current thread:
- DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Duane Wessels (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Mike Lewinski (Aug 19)
- Re: DNS Blocking Suresh Ramasubramanian (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)