BIND recursive - DNS Nonsense Name Attacks

Evan Hunt each at
Thu May 28 23:22:16 UTC 2015

On Fri, May 29, 2015 at 09:08:04AM +1000, Neil wrote:
> Hi Bind users,
> Just wondering if anyone else has seen the DNS nonsense name attacks on
> their recursives?
> Any way to mitigate such attacks?
> Currently running version 9.10, I already ACL's and have RPZ deployed but
> this is a "reactive" solution.  I read that fetches-per-server and
> fetches-per-zone have been deployed to subscription releases, any time
> line for code to be released in the public version? Anything else I can
> do?

The "fetches-per-X" features will be in 9.10.3 and 9.9.8, due out in a
couple of months.  (There'll probably be a compile-time option to turn them
on, since it's new functionality and we usually only put that into 9.X.0

Sooner than that, probably within a few weeks, it'll be pushed to our
public git repository on  There are some tweaks to the
code that are still pending internal review.

If you like, and if you promise to provide feedback, I'll give it to
you even before that.

In the meantime, you could temporarily create empty local zones for and any other domains that appear to be under attack.
This would cause all queries to return NXDOMAIN.  (It means your clients
can't resolve those domains, but there's a pretty fair chance they wouldn't
be able to anyway because DoS attack, and at least it reduces the
collateral damage the attack is doing to your resolver.)

You could also try blacklisting the clients from which the queries are
coming; they're probably infected with malware.

RPZ is also effective for this.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list