You don't understand what kind of blacklist I want; I want to blacklist the
domain name
being asked for, so I don't answer for it. I'm not looking to blacklist forged
IP addresses
of requestors (since we all know criminals don't use their own identities; they
use the
identities of innocent bystanders).
Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not
a rootserver, and never will be.
these answers are minimal, so the problem is made as small as possible.
Reindl Harald <h.rei...@thelounge.net> writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:
AGAIN: you don't gain anything by not responding on a UDP protocol
because the client can't distinct no response and packet loss
On 16.12.21 13:56, Andrew P. wrote:
AGAIN, the criminal DDoS attacker who's creating these forged requests
isn't looking for replies to themselves; they're looking to abuse some
poor victim. And the victim can't make the attacker shut up.
I use fail2ban to block these, so while a few packets always pass, the rest
gets blocked.
so you *increase* the load by retries on the client
No, the attacker is going to send their packets as often as they feel like
it regardless of whether I answer, and they won't know if the load on the
victim is sufficient to crush them (or if I am participating), since the
attacker isn't receiving the attack. They won't speed up on me just
because I refuse to participate in their ugly little games because they
won't know I'm not playing along (at least until they decide to attack
_me_ instead of someone else).
don't get me wrong but you need to understand the implications of what
you are doing - for DOS attacks "Response Rate Limiting" was invented
and for non-DOS requests there isn't any valid reason to take action
Please tell me what non-DOS requests would be asking _my_ name server to
dump the root domain. I'm not running a caching-only public nameserver
(such as an ISP might run for their customers), so _no_ _one_ should be
asking my nameserver for the entire root domain. Even webcrawlers don't
need to harrass non-root-nameservers for root domain information.
Note I haven't done anything yet; I'm asking if there _is_ a way to do it
presently implemented in Bind.
none I know so far.
I'd be glad if someone told me there's better way and what it is.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
