Preventing a particular type of nameserver abuse
Borja Marcos
borjam at sarenet.es
Tue Apr 13 09:53:08 UTC 2021
> On 13 Apr 2021, at 11:31, Julien Salort <listes at salort.eu> wrote:
>
> Is there really a usefulness to reply with code 5, instead of silently ignoring the request?
Yes, we do it.
imagine a customer who uses to connect from different locations (hence different ISPs) and for whatever
reason keeps a static list of resolvers in resolv.conf.
If the customer queries your DNS servers from a non authorized location and they ignore the request you
will force the resolver to time out. If, however, the query is refused, the resolver will send it to the next
server in the list.
Being short messages means they are useless for a DDoS. Anyway we keep an eye on it.
Borja.
More information about the bind-users
mailing list