Stopping name server abuse

Tony Finch dot at
Mon Jun 25 11:11:52 UTC 2018

jonny at <jonny at> wrote:
> Am 24.06.2018 um 23:41 schrieb Barry Margolin:
> >  jonny at wrote:
> > >
> > > why dont you just delete the zones?
> >
> > That won't stop the queries from coming to the server.
> yes, but it minimizes the use of resources because the only answer is
> nxdomain.

If you delete the zones, the nameserver will return REFUSED not NXDOMAIN,
and the resolver that is making the query will retry.

We used to refuse external queries for, but for reasons
related to X.509 CAA checks we now use views to return NXDOMAIN instead.
This change unexpectedly reduced the query load on our authoritative
servers by half. (Obvious in retrospect, but...)

I suggest empty place-holder zones with long TTLs, possibly with a www
entry pointing to a page saying the account has been closed.

f.anthony.n.finch  <dot at>
oppose all forms of entrenched privilege and inequality

More information about the bind-users mailing list