On Dec 3, 6:26 pm, Mark Andrews <[EMAIL PROTECTED]> wrote: > If it is a forged packet it should be dropped regardless of the setting > of RD.
True, however not something that's easily determined from a distance. Ideally ingress filtering would render this a non-issue, however there obviously holes in the current filtering done by ISPs. > If the only reason to think the packet is forged is the setting > of RD=1 then the OP has committed a reasoning error. The situation that we've encountered on a couple of occasions is a steady stream (several a second) of the exact same query with the same source address for several days. When we contact the owner of the source address, they state they're under DDoS attack and are not the source of the request. Part of the attack they experience is the Refused response from our DNS server. > Also rd being set my just be the result of someone testing with > a tool which sets rd by default. In which case they can change the setting. Which is worst ... occasionally dropping a request from someone using a misconfigured tool / server, or participating in a larger DDoS attack? Granted that dropping external requests with RD=1 doesn't eliminate the potiental for DDoS attacks, it just changes it. > One needs to be really, really careful here. Understood ... and I realize that things shouldn't be oversimplified (i.e. by assuming RD=1 must mean an evil request). Part of the purpose for this post is to start a discussion on the pros / cons. -- John [EMAIL PROTECTED] _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users