dns-zone-blacklist icon indicating copy to clipboard operation
dns-zone-blacklist copied to clipboard

Published 20 hours ago verified publisher icon oznu

RCODE 5 (REFUSED) as response type

Open shaanen opened this issue 5 years ago • 1 comments

Wouldn't it be better to use RCODE 5 "REFUSED" as response type rather than NXDOMAIN, since we are filtering DNS requests?

e.g. for Unbound: local-zone: evil.invalid refuse

shaanen avatar Nov 19 '18 12:11 shaanen

A dns client that receives a REFUSED answer will forward the request to the next server in the network configuration. While a client thet receives NXDOMAIN answer from the DNS query the client wil stop querying the dns servers known in the network. Thus making the 'static' black list solution more rigid and faster.

montyubuntu avatar Feb 12 '19 20:02 montyubuntu