[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?
Sebastian Nielsen
sebastian at sebbe.eu
Tue Jun 6 20:02:44 UTC 2017
My tought is that its harder to scan for DNS servers and (eventually) attack them, if they don't reply at all unless its absolute necessary (eg if it’s a authorative query for something the server is authorative for).
Have you heard about GRC, Gibson Research Corporation?
They say, that its better to ignore instead of replying.
-----Ursprungligt meddelande-----
Från: Paul Wouters [mailto:paul at nohats.ca]
Skickat: den 6 juni 2017 04:55
Till: Sebastian Nielsen <sebastian at sebbe.eu>
Kopia: nsd-users at NLnetLabs.nl
Ämne: Re: [nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?
On Tue, 6 Jun 2017, Sebastian Nielsen wrote:
>>> Is it possible to tell NSD to just drop recursive queries, instead of replying with a “REFUSED” message?
>>
>> Why do you want to receive double the queries?
> What do you mean?
If a real DNS client is sending you a query, and it does not get a response, it will likely try 2 more times. By not answering, you will get double or tripple the traffic.
> Some security scans say the following:
>
> External Query:
> Rejected (Recommended: Drop)
>
> And list it as a yellow status.
Some security software needs to hire some DNS people :)
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6298 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20170606/83c4ba5d/attachment.bin>
More information about the nsd-users
mailing list