Preventing a particular type of nameserver abuse

sthaug at nethelp.no sthaug at nethelp.no
Wed Apr 14 08:30:55 UTC 2021


> I'm not talking of DNS *resolvers* here. I'm talking of authoritative
> servers. If my authoritative server is authoritative for zones A, B and
> C, then I should only get queries for those zones from legitimate
> resolvers and clients. Queries for any other zones should *not* be
> coming to my server. I shouldn't even be obliged to answer with REFUSED.
> I should just be able to ignore those queries completely as junk.

Agree that you should be able to ignore them. But as a practical matter,
ignoring them *may* result in the question being asked again and again,
while REFUSED *may* stop the client from asking more.

I run one of the authoritative name servers for no (Norway). That name
server receives its share of completely irrelevant queries, e.g. (25
queries from just now):

NS? .
ANY? sl.
ANY? sl.
A? d2cnv2pop2xy4v.cloudfront.net.
NS? .
A? www.google.li.
A? tussilagobarnehage-no02c.mail.protection.outlook.com.
A? handball-havdur-no.mail.protection.outlook.com.
A? tronica-no.mail.protection.outlook.com.
A? storage-support.glb.itcs.hpe.com.
A? msgr-latest.c10r.facebook.com.
NS? .
A? mqtt.c10r.facebook.com.
A? inappcheck.itunes.apple.com.edgekey.net.
Type65? inappcheck.itunes.apple.com.edgekey.net.
Type65? e69896.dscapi6.akamaiedge.net.
A? e69896.dscapi6.akamaiedge.net.
A? javvs-no.mail.protection.outlook.com.
A? clients4.google.com.
A? clients.l.google.com.
A? storage-support.glb.itcs.hpe.com.
A? au-bg-shim.trafficmanager.net.
NS? .
ANY? sl.
ANY? sl.

And here again we see the queries for .sl. In any case, the volume of
these queries is so low (on the order of 0.1% of the total) that I
don't really care. I'm not going to spend any time worrying about the
resource usage of these queries.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no


More information about the bind-users mailing list