Preventing a particular type of nameserver abuse

Julien Salort listes at
Tue Apr 13 20:32:48 UTC 2021

Le 13/04/2021 à 00:55, Richard T.A. Neal a écrit :

> That's exactly what I do - I have some code that's watching for a frequent occurrence of these sorts of queries and then adds a firewall rule for a predetermined amount of time to simply drop the incoming packets at the firewall - this prevents them from reaching BIND in the first place and thus consuming system resource on the BIND server. And I say "predetermined amount of time" because that rule is then removed after a period of time in case the abuse was "unintentional" (ahem), or in case it came from a system using a non-static IP (i.e. a different user may be using that IP now, so I don't want to block them).

Do you block specifically the dns queries in the firewall, or straight 
out block the IP?

Reading this thread, I considered simply enabling the fail2ban 
named-refused jail, but they advise against it because it would end up 
blocking the victim rather than the attacker.

I understand that always ignoring these request may be bad if it causes 
some timeout somewhere (though I still do not quite fully understand 
what legitimate requests those may be for a server which only does 
authoritative answers). Couldn't bind then have a built-in option to 
ignore repeated attempts from a given host, and cap the number of error 
codes sent to a given host per day?


More information about the bind-users mailing list