[Unbound-users] Define a local zone to return NXDOMAIN
Maciej Soltysiak
maciej at soltysiak.com
Mon Sep 1 13:37:08 UTC 2014
On Sun, Aug 31, 2014 at 9:53 PM, Sonic <sonicsmith at gmail.com> wrote:
> On Sun, Aug 31, 2014 at 3:24 PM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
>> You mean you want to reply nxdomain for domains of your choosing?
>> If so, then this is your answer:
>>
>> local-zone: "ads.youtube.com" refuse
>> local-zone: "googlesyndication.com" refuse
>
> Refuse does not supply NXDOMAIN.
>
> Test it yourself and see the man page:
> ===============================================
> refuse Send an error message reply, with rcode REFUSED. If there is
> a match from local data, the query is answered.
>
> static If there is a match from local data, the query is answered.
> Otherwise, the query is answered with nodata or nxdomain.
> For a negative answer a SOA is included in the answer if
> present as local-data for the zone apex domain.
> ===============================================
I stand corrected.
When deploying my own set of refused zones I opted for REFUSED rcode
because that's actually more informative and to the fact.
I'm not lying the domain doesn't exist, I'm saying I am refusing to
answer this question.
I guess it must be very very rare that applications make a distinction
between REFUSED and NXDOMAIN.
That goes even lower down the IP stack. I rarely DROP packets. I
mostly send ICMP Admin prohibited. Especially for UDP traffic.
> Chris
Maciej
More information about the Unbound-users
mailing list