DNS Lookup - Filter "localhost"

Tony Finch dot at dotat.at
Tue Nov 18 10:25:28 UTC 2014


Radke, Justin <jradke at canbytel.com> wrote:
>
> 2. Do you have an actual localhost zone that issues 127.0.0.1?

Yes. I think this is best practice though it isn't required by RFC 6303
and isn't set up by default in BIND like the empty reverse DNS zones.

> 3. Do you block >512 Bytes DNS requests?

512 byte requests are unlikely to be valid. Blocking >512 byte answers
breaks the DNS.

> 4. Do you block non-UDP DNS requests or rate-limit requests?

Blocking TCP requests breaks the DNS. See RFC 5966.

> 5. Anything else you block/filter on your DNS servers?

Have a look at these slides, especially the last 12 on mitigating abuse of
recursive servers.

http://www.isc.org/wp-content/uploads/2014/11/DNS-RRL-LISA14.pdf

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Northeast Viking, North Utsire: Southeasterly becoming variable, 3 or 4.
Slight or moderate. Showers. Good.


More information about the NANOG mailing list