How does query denial actually work?

Matus UHLAR - fantomas uhlar at
Wed Dec 23 17:44:55 UTC 2020

On 17.12.20 14:35, Andrew P. wrote:
>I was curious about one of the features in BIND.  Per the Best Practices,
> my on-site primary nameserver for my public domains (the secondaries being
> with a large public DNS provider) is configured to only allow queries from
> within my LAN and transfers in the LAN and to the designated servers at
> the DNS provider, and the zones don't actually list the primary in NS
> records (only in the SOA record).  So I'm seeing large numbers of bursts
> of denied errors like this:
>client @0x6e702710 (.): query (cache) './ANY/IN' denied
>I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time gap, then a similar burst supposedly from a different IP address.
>So, my questions are:
>1. Are these attacks?

yes, and they are very common on the internet.

>2.  Does BIND actually send a reject message back, or is it silent in such
> denial cases (as in, not still attacking with smaller packets the victim
> of a DNS amplication attack)?

usually, yes.  Those responses are small (I measured 74B now) and you can
limit there using responses-per-second or errors-per-second.

if you don't provide any servce (domain) to a public, you can filter DNS
requests from the internet.

>I can't figure it out from reading the source code; I haven't so far been
> able to trace back from where the messages are logged to where (if any) a
> response packet would be transmitted.

Matus UHLAR - fantomas, uhlar at ;
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

More information about the bind-users mailing list