Preventing a particular type of nameserver abuse

Anand Buddhdev anandb at
Tue Apr 13 10:02:25 UTC 2021

Hi Ondrej, and others,

A legitimate client, following a normal chain of referrals, has *no*
reason to query a server for zones it is not authoritative for. Most of
the time, such a query would only arrive at a name server from a naughty
client. And then, replying with any response, even REFUSED, is
satisfying this client's naughtiness.

I think it's quite okay for an authoritative name server to simply DROP
UDP queries for zones that it's not authoritative for. It's better to
ignore naughty clients, and give them the cold shoulder, and not
participate in reflection attacks using REFUSED responses.


On 13/04/2021 11:47, Ondřej Surý wrote:

> Yes, the legitimate client would be susceptible to spoofing. No
> answer means larger time windows to guess the port+msgid combination.

More information about the bind-users mailing list