Re: BIND9 negative cache after timeout.

I won't give an answer there because I have another related question:

Yes sometimes my DNS server receives queries for a A record which I am not
authoritative for... So as the query is recursive (and I allow recursion)
I'm eventually talking to the authoritative server for that domain name...
But that server times out...

The question is: will my DNS server 'negatively cache' this hostname ? or
will it try to do the recursive job all over again ?

If the last assumptions is the right one then this can be an easy way to do
Denial-of-service:

as a hac|<er:
* you register bad-domain.com and delegate it to a server and
* you make sure any query times out...
* you flood the victim with such recursive queries...
* As it takes quite a while to resolve, you will easily and rapidly fill up
the "recursive client" quota... and here we go !

any comment?
c|sc0

"new_new" <new_new@voila.fr> a écrit dans le message de
news:bdi0aj$vr$1@sf1.isc.org...
> Hello,
>
> I run a bind9 with solaris and I want to add a negative caching.
>
> When a server on the internet is out of order, the time out for the
> responses is
> always reach and in this case my own server is infected with is
> requests pile.
>
> So, i'm looking for a parameter in bind which allow me to hide this
> kind of "no-response after timeout".
>
> Thanks for your help.
>