Preventing a particular type of nameserver abuse

Peter Coghlan bind at
Wed Apr 14 20:58:46 UTC 2021

Tony Finch wrote:
>Peter Coghlan <bind at> wrote:
>> Instead, isn't it the case that bind knows what domains it is authoritative
>> for (or which ones it is supposed to be authoritative for) and bind is
>> therefore in the ideal position to know which queries are abusive and which
>> are not rather than wrapping kludgy filtering mechanisms around it?
> Not always, sadly, because of misconfigured (lame) delegations. See the
> earlier messages from me and Ondřej -

But I don't have any misconfigured (lame) delegations and even if I had,
I think I would rather put up with the consequences of the lame delegations
on rare occasions than having my nameserver foisting abuse on others all
the time.

Those that are more worried about having lame delegations don't have to
use any option that would cause error responses to be dropped.

(I've been there and done that with the lame delegations years ago.  When
I fouled up the master, the slaves toiled on regardless, presumably because
the master returned "non-authoritative" or "refused" and nobody noticed there
was any problem.  Meanwhile, the slaves were unable to get zone transfers
from the fouled up master and much much later, they hit whatever the relevant
timeout was and the zone failed completely.  There then followed lots of head
scratching as to why the domain had failed when nothing had changed recently.
I think I would have preferred if it had failed immediately I made the
incorrect change (and I probably failed to notice bind trying to tell me about
it too) because I would have known exactly where to look for the problem.)

>> If there is a resistance to having bind ignore the abusive queries
>> altogether, could we at least have something like "errors-per-minute 1"
>> which would reduce the problem by a factor of 60 compared with
>> "errors-per-second 1"?  "errors-per-hour 1" would be even better still :-)
> There is probably something that might improve things, but I'm not sure
> what it is. I think the minimum RRL rate of 1 per second might be intended
> to work with resolver retry times. I'm wary of suppressing error responses
> without thinking through the possible consequences.

But isn't this what the filtering that has been suggested is going to do?
Except isn't the filtering marginally more likely to get fouled up because
of the danger of not keeping the filtering configuration and the bind
configuration in sync with each other?

Peter Coghlan.

> Tony.
> -- 
> f.anthony.n.finch  <dot at>
> Viking, North Utsire, South Utsire, Forties: Northerly or
> northwesterly 3 to 5, becoming variable 3 or less later. Moderate
> becoming slight. Showers. Good.

More information about the bind-users mailing list