filter "unwanted" DNS

Kevin Darcy kcd at
Tue Dec 3 23:49:33 UTC 2002

"" wrote:

> Hi,
> Our DNS is not connected to the internet, it is connected to a private
> network.
> We are facing a problem. In our DNS we get a lot of "unwanted" queries. To
> answer they it
> costs our DNS CPU time/load. I want to avoid that.
> I have a list of domains/zones that my DNS will resolved them, the rest
> outside my list
> will not be resolved
> The question is how can I block those queries, in the named.conf --> option
> maybe?? But I
> dont't know how..
> E.g. domains:
> mnc001.mcc001
> mnc001.mcc002
> mnc001.mcc003 are allowed.
> rest domains like:
> mnc003.mcc040
> mnc020.mcc005
> mnc001.mcc262..etc..etc..I want to block them.

BIND has a "blackhole" option, but it's based on client source address, not
query contents. Query-content-based blackholing would be kind of pointless
anyway, since much of the CPU is expended simply decoding the packet and
determining what the client is asking for; once you've already invested those
resources, it doesn't take much more to send a negative response back.

Perhaps you could implement a filter at a lower level of the networking stack
that would look inside the query packet to determine what is being queried.
But this can be somewhat non-trivial, given the complexity of DNS packets, and
if you run such a filter on the DNS machine itself, it could end up hogging
more CPU than simply sending back the negative responses.

All in all, I think you'd be better off splitting your DNS load between more

- Kevin

More information about the bind-users mailing list