Stopping name server abuse
Tony Finch
dot at dotat.at
Mon Jun 25 11:11:52 UTC 2018
jonny at hasig.de <jonny at hasig.de> wrote:
> Am 24.06.2018 um 23:41 schrieb Barry Margolin:
> > jonny at hasig.de wrote:
> > >
> > > why dont you just delete the zones?
> >
> > That won't stop the queries from coming to the server.
>
> yes, but it minimizes the use of resources because the only answer is
> nxdomain.
If you delete the zones, the nameserver will return REFUSED not NXDOMAIN,
and the resolver that is making the query will retry.
We used to refuse external queries for private.cam.ac.uk, but for reasons
related to X.509 CAA checks we now use views to return NXDOMAIN instead.
This change unexpectedly reduced the query load on our authoritative
servers by half. (Obvious in retrospect, but...)
I suggest empty place-holder zones with long TTLs, possibly with a www
entry pointing to a page saying the account has been closed.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
oppose all forms of entrenched privilege and inequality
More information about the bind-users
mailing list