On 3/30/2010 5:36 AM, Abdulla Bushlaibi wrote:
We are facing query drops by using dnsperf tool from ISC testing the
DNS service via load balancer. Multiple queries from the same source
port are being dropped partially by the load balancer and as per the
load balancer vendor feed back, this is a security feature and this
situation doesn't happen in real life scenarios.
Actually, a thought occurred to me: if they're really trying to improve
the security of the DNS infrastructure by depriving source-port-reusing
clients of usable answers, then the absolute *worst* thing they can do
is *drop* the query. By not competing with forged answers to the same
question, such behavior increases the chance that the client's cache
will get poisoned.
A nice quick REFUSED response would make pretty much the same point
without recklessly endangering the client.
SERVFAIL would accomplish more-or-less the same thing, and persist
longer, and thus inflict more pain, but is not really the appropriate
response to give.
Bogus NXDOMAINs or NODATAs would be outright lies, but at least would
offer a granular way to inflict pain, either on a time basis or per
individual client.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
