Preventing a particular type of nameserver abuse
Grant Taylor
gtaylor at tnetconsulting.net
Mon Apr 12 20:39:44 UTC 2021
On 4/12/21 1:41 PM, Peter Coghlan wrote:
> As far as I can see providing no response at all in any instance when
> a code 5 refused response would normally be returned would be the
> appropriate thing for my nameserver to do here and doing this would
> cause no difficulties at all with any legitimate queries or anyone
> who is not an abuser. Am I correct here?
You might consider filtering the egress code 5 from your server via
local firewall. I'm not entirely sure how to do this. But I suspect
that your platform's firewall has an option.
I know that I've used IPTable's "string" match extension to filter out
problematic inbound queries at times in the past. Perhaps something
like this could be pressed into service to filter outgoing code 5 replies.
You might be able to apply the same methodology to filter unwanted
inbound queries to completely avoid sending the reply code at all.
> All results of my research point to the use of rate limiting as the
> only approach available for dealing with this sort of issue.
There are always multiple ways to do things. It's a question of how
practical they are.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210412/221187fd/attachment.bin>
More information about the bind-users
mailing list