DNS Lookup - Filter "localhost"
dot at dotat.at
Tue Nov 18 10:25:28 UTC 2014
Radke, Justin <jradke at canbytel.com> wrote:
> 2. Do you have an actual localhost zone that issues 127.0.0.1?
Yes. I think this is best practice though it isn't required by RFC 6303
and isn't set up by default in BIND like the empty reverse DNS zones.
> 3. Do you block >512 Bytes DNS requests?
512 byte requests are unlikely to be valid. Blocking >512 byte answers
breaks the DNS.
> 4. Do you block non-UDP DNS requests or rate-limit requests?
Blocking TCP requests breaks the DNS. See RFC 5966.
> 5. Anything else you block/filter on your DNS servers?
Have a look at these slides, especially the last 12 on mitigating abuse of
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Northeast Viking, North Utsire: Southeasterly becoming variable, 3 or 4.
Slight or moderate. Showers. Good.
More information about the NANOG