On 08. 09. 25 16:27, Michael Richardson wrote:
Ondřej Surý <[email protected]> wrote: > I can definitely say this is not going to be implemented and nobody should. > Not returning answer is a protocol violation that can lead to DNS > spoofing window being much larger. Surely I'm allowed to *not* run a DNS server on an IP address, and dropping replies surely fits into that space :-) > There are also servers like BIND 9 > that maintain a state per server/IP address and an attacker can point > her domain name to your server and use this to manipulate the remote > server state by asking for such name at the victim resolver. Yes, that's an interesting concern. It might be worth the risk.
See https://dl.acm.org/doi/pdf/10.1145/3576915.3616647 and decide for your setup. -- Petr Špaček -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
