Paul Wouters
2017-Jun-06 02:55 UTC
[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?
On Tue, 6 Jun 2017, Sebastian Nielsen wrote:>>> Is it possible to tell NSD to just drop recursive queries, instead of replying with a ?REFUSED? message? >> >> Why do you want to receive double the queries?> What do you mean?If a real DNS client is sending you a query, and it does not get a response, it will likely try 2 more times. By not answering, you will get double or tripple the traffic.> Some security scans say the following: > > External Query: > Rejected (Recommended: Drop) > > And list it as a yellow status.Some security software needs to hire some DNS people :) Paul
Sebastian Nielsen
2017-Jun-06 20:02 UTC
[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?
My tought is that its harder to scan for DNS servers and (eventually) attack them, if they don't reply at all unless its absolute necessary (eg if it?s a authorative query for something the server is authorative for). Have you heard about GRC, Gibson Research Corporation? They say, that its better to ignore instead of replying. -----Ursprungligt meddelande----- Fr?n: Paul Wouters [mailto:paul at nohats.ca] Skickat: den 6 juni 2017 04:55 Till: Sebastian Nielsen <sebastian at sebbe.eu> Kopia: nsd-users at NLnetLabs.nl ?mne: Re: [nsd-users] Set NSD to ignore, instead of refusing, external recursive queries? On Tue, 6 Jun 2017, Sebastian Nielsen wrote:>>> Is it possible to tell NSD to just drop recursive queries, instead of replying with a ?REFUSED? message? >> >> Why do you want to receive double the queries?> What do you mean?If a real DNS client is sending you a query, and it does not get a response, it will likely try 2 more times. By not answering, you will get double or tripple the traffic.> Some security scans say the following: > > External Query: > Rejected (Recommended: Drop) > > And list it as a yellow status.Some security software needs to hire some DNS people :) Paul -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6298 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20170606/83c4ba5d/attachment.bin>