Thanks for the info. Also I'll have to note that I completely missed that the "offending IP" is one of the .uk root servers so the next logical conclusion is I've probably got a box in one of my environments driving an amplification attack of some sort or something at those IPs that I need to figure out. Sorry for the bother and thanks for the feedback. Much appreciated.
On Mon, Aug 8, 2016 at 10:51 AM, Ray Bellis <r...@isc.org> wrote: > On 08/08/2016 18:43, Darcy Kevin (FCA) wrote: > > As already noted, allow-query will cause you to send back a REFUSED > > response. That’s sort of the whole point of the REFUSED RCODE. > > > > > > > > If you want to not send back any response **whatsoever**, then take a > > look at the “blackhole” statement, but, honestly, this kind of “drop” > > function may, depending on network topology, be more efficiently > > performed in your firewall or IDS/IPS. > > > > > > > > Be aware that a client that doesn’t get a response may retry the query, > > so simply “dropping” queries may ultimately prove counter-productive. > > and also see Mark Andrew's Internet Draft on this very topic: > > https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03 > > Ray > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
