[176183] in North American Network Operators' Group
Re: DNS Lookup - Filter "localhost"
daemon@ATHENA.MIT.EDU (Tony Finch)
Tue Nov 18 05:25:37 2014
X-Original-To: nanog@nanog.org
Date: Tue, 18 Nov 2014 10:25:28 +0000
From: Tony Finch <dot@dotat.at>
To: "Radke, Justin" <jradke@canbytel.com>
In-Reply-To: <CA+GZS2be1UwOmVvaNYinForRxJ9qu=+ALcvf4uL4_TBLsRzevg@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Radke, Justin <jradke@canbytel.com> wrote:
>
> 2. Do you have an actual localhost zone that issues 127.0.0.1?
Yes. I think this is best practice though it isn't required by RFC 6303
and isn't set up by default in BIND like the empty reverse DNS zones.
> 3. Do you block >512 Bytes DNS requests?
512 byte requests are unlikely to be valid. Blocking >512 byte answers
breaks the DNS.
> 4. Do you block non-UDP DNS requests or rate-limit requests?
Blocking TCP requests breaks the DNS. See RFC 5966.
> 5. Anything else you block/filter on your DNS servers?
Have a look at these slides, especially the last 12 on mitigating abuse of
recursive servers.
http://www.isc.org/wp-content/uploads/2014/11/DNS-RRL-LISA14.pdf
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Northeast Viking, North Utsire: Southeasterly becoming variable, 3 or 4.
Slight or moderate. Showers. Good.
