In message <ofcf702966.7607757e-on85257b26.005775d2-85257b26.005b3...@e1b.org>, [email protected] writes: > I recently help close down an open recursive resolver. It is still > getting a lot of queries for isc.org/ANY which get a refused response > (unless slipped/dropped by RRL). Granted, this doesn't amplify the attack > since REFUSED is a fairly small packet, but it is still traffic to the > attacked site. > > Given that no properly configured server should be querying this recursive > name server for isc.org, why should it respond with anything? Why not > just drop the packet for any recursive request if it is not going to > answer it. I supposed in the good old days, it was polite to say, "Sorry, > I can't answer that." We also used to accept unsolicited commercial > emails. The RFCs state we should either reject during SMTP or if we > accept a message, we should either deliver or generate a delivery failure. > Now we filter and drop spam on the floor.
It is still polite. Delegations to servers not configured for a zone happen all the time. Go look at the logs of any recursive server that reports these. Mark % grep REFUSED /Library/Logs/named.log 05-Mar-2013 07:13:43.692 error (unexpected RCODE REFUSED) resolving 'jlc.net/NS/IN': 216.177.0.15#53 05-Mar-2013 07:13:43.808 error (unexpected RCODE REFUSED) resolving '_adsp._domainkey.jlc.net/TXT/IN': 216.177.0.15#53 05-Mar-2013 07:13:44.938 error (unexpected RCODE REFUSED) resolving 'ns2.jlc.net/A/IN': 192.156.97.61#53 05-Mar-2013 07:13:44.938 error (unexpected RCODE REFUSED) resolving 'ns1.jlc.net/A/IN': 192.156.97.61#53 05-Mar-2013 07:13:45.196 error (unexpected RCODE REFUSED) resolving 'ns2.jlc.net/A/IN': 192.156.97.193#53 05-Mar-2013 07:13:45.202 error (unexpected RCODE REFUSED) resolving 'ns1.jlc.net/A/IN': 192.156.97.193#53 06-Mar-2013 15:37:43.069 error (unexpected RCODE REFUSED) resolving 'www.openssl.org/AAAA/IN': 194.97.152.160#53 06-Mar-2013 15:37:43.073 error (unexpected RCODE REFUSED) resolving 'www.openssl.org/A/IN': 194.97.152.160#53 % % grep lame /Library/Logs/named.log 04-Mar-2013 18:15:42.865 lame server resolving 'bartcentral.dommel.be' (in 'dommel.be'?): 193.109.184.66#53 04-Mar-2013 18:15:42.865 lame server resolving 'bartcentral.dommel.be' (in 'dommel.be'?): 193.109.184.66#53 05-Mar-2013 07:11:56.573 lame server resolving 'isdg.net' (in 'isdg.net'?): 198.6.1.65#53 05-Mar-2013 07:11:56.631 lame server resolving 'tms1._domainkey.isdg.net' (in 'isdg.net'?): 198.6.1.65#53 05-Mar-2013 07:11:57.603 lame server resolving '_adsp._domainkey.isdg.net' (in 'isdg.net'?): 2600:803:408:2::10#53 06-Mar-2013 15:37:55.502 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 217.115.143.130#53 06-Mar-2013 15:37:55.533 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 217.115.143.130#53 06-Mar-2013 15:37:55.843 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 80.237.128.1#53 06-Mar-2013 15:37:55.876 lame server resolving 'openssl.linux-mirror.org' (in 'linux-mirror.org'?): 80.237.128.1#53 % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
