reject invalid dns queries

Alan Clegg alan at clegg.com
Mon Jan 19 15:16:28 UTC 2015


On 1/19/15 9:14 AM, Daniel Dawalibi wrote:

> Invalid DNS queries : non-existent domains that do not resolve to any
> IP as mentioned in the below example. We are trying to protect our
> DNS servers from a number of invalid dns queries targeting our
> caching server and originated from different source IPs. Is there any
> way to drop these requests based on the Query Access list from the
> DNS configuration file (named.conf)?

Those aren't "invalid DNS queries", they are queries that return an
NXDOMAIN response.  Quite different and completely legal (and required)
to have DNS work correctly.

Are these queries coming from inside your network?  If so, find the
machines that are generating them (assuming they are actually in massive
numbers) and fix the problem.

If they are coming from outside your network, create ACLs that restrict
queries to only your clients and ... voila, problem solved.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 513 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150119/57c1a927/attachment.bin>


More information about the bind-users mailing list