[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?

Sebastian Nielsen sebastian at sebbe.eu
Mon Jun 19 10:38:11 UTC 2017


What do you mean? What is "off-path spoofing attacks" and how would ignoring a query instead of replying to it, make you more vulnerable?

Why does Steve Gibson ( http://www.grc.com ) say its more spoofing-resistant to ignore external queries instead of refusing?

-----Ursprungligt meddelande-----
Från: Ondřej Surý [mailto:ondrej at sury.org] 
Skickat: den 19 juni 2017 09:08
Till: Sebastian Nielsen <sebastian at sebbe.eu>; nsd-users at NLnetLabs.nl
Ämne: Re: [nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?

And make yourself more vulnerable to off-path spoofing attackers? That's a really bad idea.

O.
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu

On Mon, Jun 5, 2017, at 23:24, Sebastian Nielsen wrote:
> Is it possible to tell NSD to just drop recursive queries, instead of 
> replying with a "REFUSED" message?
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> Email had 1 attachment:
> + smime.p7s
>   9k (application/pkcs7-signature)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6298 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20170619/f93a8766/attachment.bin>


More information about the nsd-users mailing list