Maintained by: NLnet Labs

[Unbound-users] Define a local zone to return NXDOMAIN

Maciej Soltysiak
Mon Sep 1 15:37:08 CEST 2014


On Sun, Aug 31, 2014 at 9:53 PM, Sonic <sonicsmith at gmail.com> wrote:
> On Sun, Aug 31, 2014 at 3:24 PM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
>> You mean you want to reply nxdomain for domains of your choosing?
>> If so, then this is your answer:
>>
>> local-zone: "ads.youtube.com" refuse
>> local-zone: "googlesyndication.com" refuse
>
> Refuse does not supply NXDOMAIN.
>
> Test it yourself and see the man page:
> ===============================================
>        refuse    Send an error message reply, with rcode REFUSED.  If there is
>                  a match from local data, the query is answered.
>
>        static    If there is a match from local data, the query is answered.
>                  Otherwise, the query is answered with nodata or nxdomain.
>                  For a negative answer a SOA is included in the answer if
>                  present as local-data for the zone apex domain.
> ===============================================
I stand corrected.

When deploying my own set of refused zones I opted for REFUSED rcode
because that's actually more informative and to the fact.
I'm not lying the domain doesn't exist, I'm saying I am refusing to
answer this question.

I guess it must be very very rare that applications make a distinction
between REFUSED and NXDOMAIN.

That goes even lower down the IP stack. I rarely DROP packets. I
mostly send ICMP Admin prohibited. Especially for UDP traffic.

> Chris
Maciej