On 4/12/21 1:41 PM, Peter Coghlan wrote:
As far as I can see providing no response at all in any instance when a code 5 refused response would normally be returned would be the appropriate thing for my nameserver to do here and doing this would cause no difficulties at all with any legitimate queries or anyone who is not an abuser. Am I correct here?
You might consider filtering the egress code 5 from your server via local firewall. I'm not entirely sure how to do this. But I suspect that your platform's firewall has an option.
I know that I've used IPTable's "string" match extension to filter out problematic inbound queries at times in the past. Perhaps something like this could be pressed into service to filter outgoing code 5 replies.
You might be able to apply the same methodology to filter unwanted inbound queries to completely avoid sending the reply code at all.
All results of my research point to the use of rate limiting as the only approach available for dealing with this sort of issue.
There are always multiple ways to do things. It's a question of how practical they are.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
