How does query denial actually work?

Andrew P. andrewemt at
Thu Dec 17 14:35:17 UTC 2020

Greetings, all.

I was curious about one of the features in BIND. Per the Best Practices, my on-site primary nameserver for my public domains (the secondaries being with a large public DNS provider) is configured to only allow queries from within my LAN and transfers in the LAN and to the designated servers at the DNS provider, and the zones don't actually list the primary in NS records (only in the SOA record). So I'm seeing large numbers of bursts of denied errors like this:

client @0x6e702710 (.): query (cache) './ANY/IN' denied

I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time gap, then a similar burst supposedly from a different IP address.

So, my questions are:

1. Are these attacks?

2. Does BIND actually send a reject message back, or is it silent in such denial cases (as in, not still attacking with smaller packets the victim of a DNS amplication attack)?

I can't figure it out from reading the source code; I haven't so far been able to trace back from where the messages are logged to where (if any) a response packet would be transmitted.


More information about the bind-users mailing list