How to suppress ADDITIONAL SECTION per zone

Matus UHLAR - fantomas uhlar at
Mon Jul 1 14:07:05 UTC 2013

On 01.07.13 04:02, blrmaani wrote:
>We are noticing that a handful of our domains are being used for
> amplification attacks and we would like to reduce outgoing (DNS response)
> packet size.
>One solution is to reduce the additional sections in the response for these
> handful zones and I would like to know if there is any way to add
> something similar to "additional-from-auth no" per zone basis and achieve

It would be much better if you presented your problem in the beginning, not
just tell us what you want to do. 

In this case you should set "minimal-responses yes" globally, otherwise all
your other domains can get used for such attacks too.

Do you have separate servers for resolving and for domains?
Resolving servers could send all possible info to your own clients, while
authoritative servers would provide as low informations as needed.

Other possibility is to implement packet rate limiting - a patch was
discussed here a few days/weeks ago.

Matus UHLAR - fantomas, uhlar at ;
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

More information about the bind-users mailing list