Catch All Server - Null MX Setup
Mark Andrews
Mark_Andrews at isc.org
Tue Oct 4 01:47:17 UTC 2005
> WiNNie wrote:
>
> >The Name Servers are being used for a domain parking program, there is
> >no email, so MX is of no use. My dedicated Name Servers are currently
> >trying to cope with a throughput of 200-300k of data per second
> >primarily on MX and AAAA record lookups, they are never followed up by
> >an email or a visit to the relevant domain. It is basically an attack
> >of some sort, so by shutting off the MX lookups I should be able to
> >reduce the throughput, the AAAA lookups are a different case though as
> >i cant simply shut them off.
> >
> Well, if they're not actually using the results of MX records for mail,
> and they'be basically just attacking you, how does it help to give them
> bogus results? If it's a relatively small number of clients or client
> ranges that are doing this, you could block the queries with
> allow-query, which can be specified at a zone level, and will save you a
> little bandwidth since REFUSED packets are smaller than data-bearing
> packets, or if you want to just snub them for everything, use blackhole,
> which nixes all return traffic and saves you a bunchload of bandwidth...
>
>
> - Kevin
Also by using a "." zone all negative answers will be rejected
as attempted cache poisioning. The SOA and NS records won't
have the expected names.
Instead you should have a entry in named.conf for each zone that
is parked. You can use a common master file provided the NS
RRset matched that in the parent zone.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list