[Unbound-users] Define a local zone to return NXDOMAIN

Sonic sonicsmith at gmail.com
Mon Sep 1 13:48:28 UTC 2014

On Mon, Sep 1, 2014 at 9:37 AM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
> When deploying my own set of refused zones I opted for REFUSED rcode
> because that's actually more informative and to the fact.
> I'm not lying the domain doesn't exist, I'm saying I am refusing to
> answer this question.

Same here.

> I guess it must be very very rare that applications make a distinction
> between REFUSED and NXDOMAIN.

I'm not aware of any cases off hand.

> That goes even lower down the IP stack. I rarely DROP packets. I
> mostly send ICMP Admin prohibited. Especially for UDP traffic.

I try to use a good working mix, and do answer ping requests. I think
the whole "stealth" stance is not net friendly.


More information about the Unbound-users mailing list