Andrew, you've given me an intriguing idea!
On Sun, 7 Sep 2025, Andrew Pavlin wrote:
Personally, I would like an even finer control than what the allow-query
option allows. I too run an authoritative server, and it too is being
routinely used for DNS amplification attacks. Rather than returning a
REFUSED error (which still uses bandwidth on my link and the poor
victim's link), I would like to be able to configure my bind instance to
not respond AT ALL to _any_ domain queries for which I am not
authoritative or a "glue" server.
Have you got RPZ set up? I run two RPZs for access control, which are
consulted sequentially. The first one is the allow list, the second is the
block list (although there is no technical enforcement, just the rules
which go into each): this is best practice.
I added
*.EDU CNAME rpz-drop.
to the block list. "dig @athena.m3047.net gsu.edu IN ANY" is dead air now.
That doesn't solve the issue of people asking for root (".") or (bare) edu
and getting a "lie", but it does mitigate the issue of people asking for
gsu.edu and getting a referral to root which is a lie.
That was what I thought would happen. Things were a little more
interesting when I tried simply
* CNAME rpz-drop.
That did not stop the server from responding when asked for root. It
stopped pretty much everything else which wasn't in the allow list.
The thing which was surprising is that it didn't stop queries for the
(parent) zone which the server is authoritative for (I expected to have to
add allow entries), which sounds like the behavior you desire without the
hassle of creating allow list entries. Personally I need to do some more
research before I'm comfortable with that.
I hope that helps, and thanks for the inspiration...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
