Best allow-query setting on an authoritative-only nameserver
Ronan Flood
usenet at umbral.org.uk
Tue Apr 3 20:19:03 UTC 2007
On 03 Apr 2007 00:30:51 +0100,
Chris Thompson <cet1 at hermes.cam.ac.uk> wrote:
> better, what are the pros and cons of "allow-query {none;};" versus
> "allow-query {any;};" in this context? Is it better to reply REFUSED
> or to give a referral to the root nameservers? (I suppose one should
> also distinguish between "better for us" and "better for them".)
There's the possibility of data amplification in a DoS attack with a
spoofed source address. REFUSED should be the same size as the query,
but a root referral might be much larger -- just trying it now using
"dig @ip . ns", the REFUSED is 17 bytes, the referral is more than
twenty times that size.
--
Ronan Flood <usenet at umbral.org.uk>
More information about the bind-users
mailing list