On Sun, Aug 31, 2014 at 9:53 PM, Sonic <[email protected]> wrote: > On Sun, Aug 31, 2014 at 3:24 PM, Maciej Soltysiak <[email protected]> > wrote: >> You mean you want to reply nxdomain for domains of your choosing? >> If so, then this is your answer: >> >> local-zone: "ads.youtube.com" refuse >> local-zone: "googlesyndication.com" refuse > > Refuse does not supply NXDOMAIN. > > Test it yourself and see the man page: > =============================================== > refuse Send an error message reply, with rcode REFUSED. If there is > a match from local data, the query is answered. > > static If there is a match from local data, the query is answered. > Otherwise, the query is answered with nodata or nxdomain. > For a negative answer a SOA is included in the answer if > present as local-data for the zone apex domain. > =============================================== I stand corrected.
When deploying my own set of refused zones I opted for REFUSED rcode because that's actually more informative and to the fact. I'm not lying the domain doesn't exist, I'm saying I am refusing to answer this question. I guess it must be very very rare that applications make a distinction between REFUSED and NXDOMAIN. That goes even lower down the IP stack. I rarely DROP packets. I mostly send ICMP Admin prohibited. Especially for UDP traffic. > Chris Maciej _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
