[73359] in North American Network Operators' Group
Re: DNS Blocking
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Aug 19 19:20:58 2004
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 19 Aug 2004 23:20:22 +0000
In-Reply-To: <41252F55.5010006@outblaze.com>
Errors-To: owner-nanog-outgoing@merit.edu
suresh@outblaze.com (Suresh Ramasubramanian) writes:
> > and you're done. any query that anyone sends to your server for that zone
> > will be sent something that will hurt them. eventually they will realize
> > that it's hurting them, and they will stop.
>
> yes but you pointed out before, deploying this would not be a good idea
> when the queries are coming in from spoofed source addresses .. the best
> thing for that would be to filter these out.
someone else pointed that out. i don't agree. you can send back three
things. icmp-unreach (if there's no nameserver running where the bogus
NS+A is pointing); or servfail (or upward delegation) if there's a name
server running where the bogus NS+A points but it does not serve the zone;
or harmful garbage designed to shift the pain back toward the person who
pointed the bad traffic at you in the first place.
it's possible that with spoofed-source, these three alternatives are
interchangeable.
it's definite that filtering out spoofed-source is the best thing to do,
but since this is way harder to do as a recipient than as a sender, it's
not a realistic alternative to running a dns server with deliberately bad
zone data.
--
Paul Vixie
