Maintained by: NLnet Labs

[Unbound-users] Define a local zone to return NXDOMAIN

Sonic
Mon Sep 1 15:48:28 CEST 2014


On Mon, Sep 1, 2014 at 9:37 AM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
> When deploying my own set of refused zones I opted for REFUSED rcode
> because that's actually more informative and to the fact.
> I'm not lying the domain doesn't exist, I'm saying I am refusing to
> answer this question.

Same here.

> I guess it must be very very rare that applications make a distinction
> between REFUSED and NXDOMAIN.

I'm not aware of any cases off hand.

> That goes even lower down the IP stack. I rarely DROP packets. I
> mostly send ICMP Admin prohibited. Especially for UDP traffic.

I try to use a good working mix, and do answer ping requests. I think
the whole "stealth" stance is not net friendly.

Chris