filter "unwanted" DNS queries..how??
kcd at daimlerchrysler.com
Tue Dec 3 23:49:33 UTC 2002
> Our DNS is not connected to the internet, it is connected to a private
> We are facing a problem. In our DNS we get a lot of "unwanted" queries. To
> answer they it
> costs our DNS CPU time/load. I want to avoid that.
> I have a list of domains/zones that my DNS will resolved them, the rest
> outside my list
> will not be resolved
> The question is how can I block those queries, in the named.conf --> option
> maybe?? But I
> dont't know how..
> E.g. domains:
> mnc001.mcc003 are allowed.
> rest domains like:
> mnc001.mcc262..etc..etc..I want to block them.
BIND has a "blackhole" option, but it's based on client source address, not
query contents. Query-content-based blackholing would be kind of pointless
anyway, since much of the CPU is expended simply decoding the packet and
determining what the client is asking for; once you've already invested those
resources, it doesn't take much more to send a negative response back.
Perhaps you could implement a filter at a lower level of the networking stack
that would look inside the query packet to determine what is being queried.
But this can be somewhat non-trivial, given the complexity of DNS packets, and
if you run such a filter on the DNS machine itself, it could end up hogging
more CPU than simply sending back the negative responses.
All in all, I think you'd be better off splitting your DNS load between more
More information about the bind-users