Hi Ondrej, and others, A legitimate client, following a normal chain of referrals, has *no* reason to query a server for zones it is not authoritative for. Most of the time, such a query would only arrive at a name server from a naughty client. And then, replying with any response, even REFUSED, is satisfying this client's naughtiness.
I think it's quite okay for an authoritative name server to simply DROP UDP queries for zones that it's not authoritative for. It's better to ignore naughty clients, and give them the cold shoulder, and not participate in reflection attacks using REFUSED responses. Regards, Anand On 13/04/2021 11:47, Ondřej Surý wrote: > Yes, the legitimate client would be susceptible to spoofing. No > answer means larger time windows to guess the port+msgid combination. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
