dns[01].cl auth NS to refuse “other” requests

The authorative nameservers for cl.cam.ac.uk are moving to return REFUSED for requests for other domains rather than sending back AUTHORITY and ADDITIONAL RRs to help the client to find the requested RR.

sans has details of how packets with spoofed src IP addresses are being send to NSs to cause them to send “large” (500 byte) packets as a DoS attack. The suggestion from the CS was to add “allow-query { none; };” to options and then in each zone “allow-query { any; };". dns0 has been done, and if there are no obvious problems, dns1 will follow.

This entry was posted in Local IT systems and tagged , . Bookmark the permalink.

Leave a Reply