DNS Blocking
Paul Vixie
vixie at vix.com
Thu Aug 19 23:20:22 UTC 2004
suresh at outblaze.com (Suresh Ramasubramanian) writes:
> > and you're done. any query that anyone sends to your server for that zone
> > will be sent something that will hurt them. eventually they will realize
> > that it's hurting them, and they will stop.
>
> yes but you pointed out before, deploying this would not be a good idea
> when the queries are coming in from spoofed source addresses .. the best
> thing for that would be to filter these out.
someone else pointed that out. i don't agree. you can send back three
things. icmp-unreach (if there's no nameserver running where the bogus
NS+A is pointing); or servfail (or upward delegation) if there's a name
server running where the bogus NS+A points but it does not serve the zone;
or harmful garbage designed to shift the pain back toward the person who
pointed the bad traffic at you in the first place.
it's possible that with spoofed-source, these three alternatives are
interchangeable.
it's definite that filtering out spoofed-source is the best thing to do,
but since this is way harder to do as a recipient than as a sender, it's
not a realistic alternative to running a dns server with deliberately bad
zone data.
--
Paul Vixie
More information about the NANOG
mailing list