Radke, Justin <[email protected]> wrote: > > 2. Do you have an actual localhost zone that issues 127.0.0.1?
Yes. I think this is best practice though it isn't required by RFC 6303 and isn't set up by default in BIND like the empty reverse DNS zones. > 3. Do you block >512 Bytes DNS requests? 512 byte requests are unlikely to be valid. Blocking >512 byte answers breaks the DNS. > 4. Do you block non-UDP DNS requests or rate-limit requests? Blocking TCP requests breaks the DNS. See RFC 5966. > 5. Anything else you block/filter on your DNS servers? Have a look at these slides, especially the last 12 on mitigating abuse of recursive servers. http://www.isc.org/wp-content/uploads/2014/11/DNS-RRL-LISA14.pdf Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Northeast Viking, North Utsire: Southeasterly becoming variable, 3 or 4. Slight or moderate. Showers. Good.
