suresh@outblaze.com (Suresh Ramasubramanian) writes:
and you're done. any query that anyone sends to your server for that zone will be sent something that will hurt them. eventually they will realize that it's hurting them, and they will stop.
yes but you pointed out before, deploying this would not be a good idea when the queries are coming in from spoofed source addresses .. the best thing for that would be to filter these out.
someone else pointed that out. i don't agree. you can send back three things. icmp-unreach (if there's no nameserver running where the bogus NS+A is pointing); or servfail (or upward delegation) if there's a name server running where the bogus NS+A points but it does not serve the zone; or harmful garbage designed to shift the pain back toward the person who pointed the bad traffic at you in the first place. it's possible that with spoofed-source, these three alternatives are interchangeable. it's definite that filtering out spoofed-source is the best thing to do, but since this is way harder to do as a recipient than as a sender, it's not a realistic alternative to running a dns server with deliberately bad zone data. -- Paul Vixie