Preventing a particular type of nameserver abuse

Grant Taylor gtaylor at
Mon Apr 12 20:39:44 UTC 2021

On 4/12/21 1:41 PM, Peter Coghlan wrote:
> As far as I can see providing no response at all in any instance when 
> a code 5 refused response would normally be returned would be the 
> appropriate thing for my nameserver to do here and doing this would 
> cause no difficulties at all with any legitimate queries or anyone 
> who is not an abuser.  Am I correct here?

You might consider filtering the egress code 5 from your server via 
local firewall.  I'm not entirely sure how to do this.  But I suspect 
that your platform's firewall has an option.

I know that I've used IPTable's "string" match extension to filter out 
problematic inbound queries at times in the past.  Perhaps something 
like this could be pressed into service to filter outgoing code 5 replies.

You might be able to apply the same methodology to filter unwanted 
inbound queries to completely avoid sending the reply code at all.

> All results of my research point to the use of rate limiting as the 
> only approach available for dealing with this sort of issue.

There are always multiple ways to do things.  It's a question of how 
practical they are.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list