Allow-Query=any
Reindl Harald
h.reindl at thelounge.net
Thu Jan 7 20:25:32 UTC 2016
Am 07.01.2016 um 21:18 schrieb G.W. Haywood:
> Hi there,
>
> On Thu, 7 Jan 2016, Reindl Harald wrote:
>
>> ... when somebody wants a information which exists in
>> the DNS he can ask for that information - unconditionally
you don't get it
if i want to ask for your SOA or NS-records then i ask for them
there is *NO POINT* you can prohibit that unless you need a working
nameserver and the only thing you *could* achieve is that i need more
queries than normally needed raising the load on your own namesever
what would happen if you can achieve it:
* in the best case no difference
* in the worst case broken clients and degraded service
prohibit things just for the sake of prohibit them is clueless,
dangerous and unless you have a *real good* reason for your goal you
should ask yourself if you *really* have the knowledge to maintain
public nameservers - sorry - impossible to say that more polite
> laptop3:~$ >>> dig -t any lloyds.co.uk
tells me that there is another clueless idiot degrading services as it
often happens - the larger the comapny the more foolish admins
WHAT do the gain with it?
NOTHING
> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;lloyds.co.uk. IN ANY
>
> ;; ANSWER SECTION:
> lloyds.co.uk. 3789 IN HINFO "Please stop asking for
> ANY" "See draft-jabley-dnsop-refuse-any"
> lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com.
> lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com.
>
> ;; AUTHORITY SECTION:
> lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com.
> lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com.
>
> ;; Query time: 54 msec
> ;; SERVER: 192.168.44.72#53(192.168.44.72)
> ;; WHEN: Thu Jan 07 20:17:18 GMT 2016
> ;; MSG SIZE rcvd: 197
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160107/5084ec38/attachment.bin>
More information about the bind-users
mailing list