[dnsdist] Reply processing: Drop actions for RCODE and proxy RRL

Terry Burton tez at terryburton.co.uk
Wed May 11 14:53:18 UTC 2016

On 11 May 2016 at 15:13, David <opendak at shaw.ca> wrote:
> On 2016-05-10 6:17 PM, Terry Burton wrote:
>> Occasionally I have found a reason to drop replies to spoofed
>> addresses having RCODE=REFUSED. One benefit is that this would mean
>> that I can avoid the outgoing traffic in response to queries for zones
>> for which I am not authoritative without having to provide the
>> authoritative list to dnsdist. (Maybe the general case is bad
>> netizanship since it results in resolvers having to wait for timeout
>> to detect lame delegations...)
> How are you able to tell if the address is spoofed or not?

Sorry, I wasn't clear. The fact that these are spoofed addresses is
incidental. It is the dropping of replies with RCODE refused that's
the point as I have occasionally seen (non-amplifying) DDOS queries
for completely random labels.

> In the general
> sense your auth server should always respond with something, otherwise you
> risk the chance (and it's quite easy) of someone being able to mark your
> name servers as "dead"

Dropping of queries for non-authoritative names has been common enough
that most resolvers track lame servers based on the <ip,qname,qtype>
tuple, not <ip> alone.


More information about the dnsdist mailing list