Re: DNS Blocking

[Paul Vixie <vixie () vix com>]

suresh () outblaze com (Suresh Ramasubramanian) writes:

> > and you're done.  any query that anyone sends to your server for that zone
> > will be sent something that will hurt them.  eventually they will realize
> > that it's hurting them, and they will stop.
>
> yes but you pointed out before, deploying this would not be a good idea 
> when the queries are coming in from spoofed source addresses .. the best 
> thing for that would be to filter these out.

someone else pointed that out.  i don't agree.  you can send back three
things.  icmp-unreach (if there's no nameserver running where the bogus
NS+A is pointing); or servfail (or upward delegation) if there's a name
server running where the bogus NS+A points but it does not serve the zone;
or harmful garbage designed to shift the pain back toward the person who
pointed the bad traffic at you in the first place.

it's possible that with spoofed-source, these three alternatives are
interchangeable.

it's definite that filtering out spoofed-source is the best thing to do,
but since this is way harder to do as a recipient than as a sender, it's
not a realistic alternative to running a dns server with deliberately bad
zone data.
-- 
Paul Vixie