Allow-Query=any

Reindl Harald h.reindl at thelounge.net
Thu Jan 7 20:25:32 UTC 2016 


Am 07.01.2016 um 21:18 schrieb G.W. Haywood:
> Hi there,
>
> On Thu, 7 Jan 2016, Reindl Harald wrote:
>
>> ... when somebody wants a information which exists in
>> the DNS he can ask for that information - unconditionally

you don't get it

if i want to ask for your SOA or NS-records then i ask for them

there is *NO POINT* you can prohibit that unless you need a working 
nameserver and the only thing you *could* achieve is that i need more 
queries than normally needed raising the load on your own namesever

what would happen if you can achieve it:

* in the best case no difference
* in the worst case broken clients and degraded service

prohibit things just for the sake of prohibit them is clueless, 
dangerous and unless you have a *real good* reason for your goal you 
should ask yourself if you *really* have the knowledge to maintain 
public nameservers - sorry - impossible to say that more polite

> laptop3:~$ >>> dig -t any lloyds.co.uk

tells me that there is another clueless idiot degrading services as it 
often happens - the larger the comapny the more foolish admins

WHAT do the gain with it?
NOTHING

> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;lloyds.co.uk.                  IN      ANY
>
> ;; ANSWER SECTION:
> lloyds.co.uk.           3789    IN      HINFO   "Please stop asking for
> ANY" "See draft-jabley-dnsop-refuse-any"
> lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
> lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
>
> ;; AUTHORITY SECTION:
> lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
> lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
>
> ;; Query time: 54 msec
> ;; SERVER: 192.168.44.72#53(192.168.44.72)
> ;; WHEN: Thu Jan 07 20:17:18 GMT 2016
> ;; MSG SIZE  rcvd: 197

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160107/5084ec38/attachment.bin>

More information about the bind-users mailing list