How to return REFUSED

Tony Finch dot at
Thu May 6 14:45:07 UTC 2021

Axel Rau <Axel.Rau at Chaos1.DE> wrote:

> I have,
> 	allow-query { any; };
> 	allow-query-cache { recursive-users; };
> 	allow-recursion { recursive-users; };
> How can I make sure that none recursive-users get a REFUSED if query is recursive?

Weird! I think your config should do what you want so I wonder why it
isn't working. Your server is responding to the problem queries with a
referral from the root zone, so have you configured your server with a
local authoritative copy of the root?

There's a broader issue here:

Usually when you have a server that is providing recursive service to
anyone, it is best to set the allow-query ACL to cover just your users, so
everyone else gets REFUSED.

This means that your recursive server cannot also be used as an
authoritative server advertised in NS records. Your public authoritative
servers should be authoritative-only and not offer recursion to anyone.

> PS: I want to minimize the responses to this amplification attack:

Ooh, RRSIG queries are fun. They are like a stealth ANY query.

BIND has several tools for dealing with this kind of junk:

  * RRL is very effective

  * minimal-any also minimizes responses to RRSIG queries

  * minimal-responses can also help to reduce packet sizes

Your server is responding with a referral from the root, so minimal-any
won't have any effect on the response. And because it's a referral, the
glue etc. is not optional, so there's nothing that minimal-responses can
omit. So in your situation the most useful things to do would be:

  * tighten up your allow-query ACL

  * if you can't do that, use RRL (you can add recursive-users to the
    exempt-clients list)

  * configure separate views for recursive-users and others; do not
    include the root zone in your external view

f.anthony.n.finch  <dot at>
The Minch: North 6 or 7, backing northwest 3 to 5. Rough or very rough
at first northeast of skye, otherwise slight or moderate. Wintry
showers. Good, occasionally poor.

More information about the bind-users mailing list