Preventing a particular type of nameserver abuse

@lbutlr kremels at
Tue Apr 13 22:29:01 UTC 2021

On 13 Apr 2021, at 04:02, Anand Buddhdev <anandb at> wrote:
> A legitimate client, following a normal chain of referrals, has *no*
> reason to query a server for zones it is not authoritative for.

Well, that's not really true. A mobile user might have their device configured to always check their corporate DNS server first, for example, then fall back if that fails.

Refusing makes everything faster, ignoring breaks things and makes things slower.

When a DNS host refuses a query, it will not be queried again, wen it times out, is is still in the rotation.

> Most of the time, such a query would only arrive at a name server from a naughty
> client.

Unlikely as there is no benefit to the "naughty" client. This is not a amplification attack, the refusal is a short packet, meaning the query from the client is probably larger than the response. Very inefficient for naughty clients.

> And then, replying with any response, even REFUSED, is
> satisfying this client's naughtiness.


> I think it's quite okay for an authoritative name server to simply DROP
> UDP queries for zones

It's not.

> that it's not authoritative for. It's better to
> ignore naughty clients, and give them the cold shoulder, and not
> participate in reflection attacks using REFUSED responses.

How do you imagine this is a reflection attack? It is far too small to be an effective attack for anything.

'Today Is A Good Day For Someone Else To Die!' --Feet of Clay

More information about the bind-users mailing list