Re: Dropping external recursive requests

2008-12-04 Thread Mark Andrews
In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes: > On Dec 3, 6:26 pm, Mark Andrews <[EMAIL PROTECTED]> wrote: > > If it is a forged packet it should be dropped regardless of the setting > > of RD. > > True, however not something that's easily determined from a distance. > > Ideally ing

Re: Dropping external recursive requests

2008-12-03 Thread john
On Dec 3, 6:26 pm, Mark Andrews <[EMAIL PROTECTED]> wrote: > If it is a forged packet it should be dropped regardless of the setting > of RD. True, however not something that's easily determined from a distance. Ideally ingress filtering would render this a non-issue, however there obviously hole

Re: Dropping external recursive requests

2008-12-03 Thread Mark Andrews
In message <[EMAIL PROTECTED] t>, Alberto Colosi/SI/RM/GSI/it writes: > why not? beter handled by isc and done in a clean way then 1.000.000 of > dirty ways as these ;) Please go read RFC 5358. No where in there does it say to drop responses. If we though that dropping queries

Re: Dropping external recursive requests

2008-12-03 Thread Alberto Colosi/SI/RM/GSI/it
er of IBM Information Security WW CoP Mark Andrews <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 04/12/2008 00.26 To [EMAIL PROTECTED] cc Subject Re: Dropping external recursive requests One needs to be really, really careful here. There are lots of unverifiable assumptions in the

Re: Dropping external recursive requests

2008-12-03 Thread Mark Andrews
One needs to be really, really careful here. There are lots of unverifiable assumptions in the OP query. Also rd being set my just be the result of someone testing with a tool which sets rd by default. Going silent on a query reponses protocol is not a good idea. There are already too many fir

Re: Dropping external recursive requests

2008-12-03 Thread Chris Buxton
That ought to work, and work well. This will not impact outside name servers that query your name server, because they send iterative queries. If they're sending recursive queries, they're abusing your server. I can't see any problems with this approach. If you have authoritative data in the thir

Dropping external recursive requests

2008-12-03 Thread john
Our DNS server occasionally get requests for recursion with forged src addresses. Currently our server returns "Standard query response, Refused" since our named.conf only allows recursion for our internal machines. This, of course, results in the poor machine whose address was forged receiving sp