skip to content

Department of Computer Science and Technology

The authorative nameservers for are moving to return REFUSED for requests for other domains

rather than sending back AUTHORITY and ADDITIONAL RRs to help the client to find the requested RR.

sans has details of how packets with spoofed src IP addresses are being send to NSs to cause them to send "large" (500 byte) packets as a DoS attack. The suggestion from the CS was to add "allow-query { none; };" to options and then in each zone "allow-query { any; };". dns0 has been done, and if there are no obvious problems, dns1 will follow.

Published by Piete Brooks on Thursday 7th May 2009