Preventing a particular type of nameserver abuse

Tony Finch dot at
Wed Apr 14 14:19:42 UTC 2021

sthaug at <sthaug at> wrote:
> Agree that you should be able to ignore them. But as a practical matter,
> ignoring them *may* result in the question being asked again and again,
> while REFUSED *may* stop the client from asking more.

REFUSED leads to retries too: if the client is a legit resolver it will
retry using the other authoritative servers. For example, when I changed from refusing external queries to replying with an empty
answer, the load on our auth servers dropped by half.

Retries following REFUSED are also one reason why the RFC 8482 minimal-any
option is not refuse-any: when an ANY attack is bouncing off a recursive
server, the authoritative server can reduce the power of the attack by
returning a small cacheable answer. This reduces the load on the
authoritative servers (no retries), and on the recursive servers (no need
to recurse and retry), and reduces the volume of the attack traffic.

Probe traffic like these sl/IN/ANY queries is a very different matter. I
wouldn't expect any kind of reasonable behaviour, so it makes sense to
drop the queries as early as possible.

f.anthony.n.finch  <dot at>
North Fitzroy, Sole: Easterly or southeasterly 4 to 6. Moderate or
rough. Showers at first in northwest Fitzroy, otherwise fair. Good.

More information about the bind-users mailing list