[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?

Tom Hendrikx tom at whyscream.net
Wed Jun 7 07:35:56 UTC 2017


If you a run hidden service, ie. one that is not pointed to by other
public service such as DNS records specifying you as NS, you might be

But when your service is initially public, then why should you make it
harder for people to use it? Abusers will come by anyway, they're not
fooled by the fact that you're dropping packets sometimes...

My 2 cents,

On 06-06-17 22:02, Sebastian Nielsen wrote:
> My tought is that its harder to scan for DNS servers and (eventually)
> attack them, if they don't reply at all unless its absolute necessary
> (eg if it’s a authorative query for something the server is
> authorative for).
> Have you heard about GRC, Gibson Research Corporation? They say, that
> its better to ignore instead of replying.
> -----Ursprungligt meddelande----- Från: Paul Wouters
> [mailto:paul at nohats.ca] Skickat: den 6 juni 2017 04:55 Till:
> Sebastian Nielsen <sebastian at sebbe.eu> Kopia: nsd-users at NLnetLabs.nl 
> Ämne: Re: [nsd-users] Set NSD to ignore, instead of refusing,
> external recursive queries?
> On Tue, 6 Jun 2017, Sebastian Nielsen wrote:
>>>> Is it possible to tell NSD to just drop recursive queries,
>>>> instead of replying with a “REFUSED” message?
>>> Why do you want to receive double the queries?
>> What do you mean?
> If a real DNS client is sending you a query, and it does not get a
> response, it will likely try 2 more times. By not answering, you will
> get double or tripple the traffic.
>> Some security scans say the following:
>> External Query: Rejected (Recommended: Drop)
>> And list it as a yellow status.
> Some security software needs to hire some DNS people :)
> Paul
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list