Ondřej Surý
2017-Jun-19 07:07 UTC
[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?
And make yourself more vulnerable to off-path spoofing attackers? That's a really bad idea. O. -- Ond?ej Sur? <ondrej at sury.org> Knot DNS (https://www.knot-dns.cz/) ? a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) ? secure, privacy-aware, fast DNS(SEC) resolver V?e pro chleba (https://vseprochleba.cz) ? Mouky ze ml?na a pot?eby pro pe?en? chleba v?eho druhu On Mon, Jun 5, 2017, at 23:24, Sebastian Nielsen wrote:> Is it possible to tell NSD to just drop recursive queries, instead of > replying with a "REFUSED" message? > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users > Email had 1 attachment: > + smime.p7s > 9k (application/pkcs7-signature)
Sebastian Nielsen
2017-Jun-19 10:38 UTC
[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?
What do you mean? What is "off-path spoofing attacks" and how would ignoring a query instead of replying to it, make you more vulnerable? Why does Steve Gibson ( http://www.grc.com ) say its more spoofing-resistant to ignore external queries instead of refusing? -----Ursprungligt meddelande----- Fr?n: Ond?ej Sur? [mailto:ondrej at sury.org] Skickat: den 19 juni 2017 09:08 Till: Sebastian Nielsen <sebastian at sebbe.eu>; nsd-users at NLnetLabs.nl ?mne: Re: [nsd-users] Set NSD to ignore, instead of refusing, external recursive queries? And make yourself more vulnerable to off-path spoofing attackers? That's a really bad idea. O. -- Ond?ej Sur? <ondrej at sury.org> Knot DNS (https://www.knot-dns.cz/) ? a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) ? secure, privacy-aware, fast DNS(SEC) resolver V?e pro chleba (https://vseprochleba.cz) ? Mouky ze ml?na a pot?eby pro pe?en? chleba v?eho druhu On Mon, Jun 5, 2017, at 23:24, Sebastian Nielsen wrote:> Is it possible to tell NSD to just drop recursive queries, instead of > replying with a "REFUSED" message? > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users > Email had 1 attachment: > + smime.p7s > 9k (application/pkcs7-signature)-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6298 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20170619/f93a8766/attachment.bin>