Finer control over REFUSED, e.g. root referrals

Fred Morris m3047 at m3047.net
Sat Sep 6 18:27:13 UTC 2025 

So I have a BIND server which is publicly exposed, but which is not 
referenced from the canonical tree we call "The DNS". It serves as a 
firewall / DNS "WAF" for resources which it recurses to obtain.

People (bad, misinformed people) issue queries to it, for things which it 
is not intended or capable of answering: it is not a general-purpose 
recursing resolver:

# perl -ne 'm/query: (\S+) (\S+) (\S+)/ && printf "%s\n", join( "\t", $1, 
$2, $3);' bind-queries.log | sort | uniq -c | sort -rnk1 | grep -vE '^ +1 
'
    1912 gsu.edu IN      ANY
      13 sl      IN      ANY
      10 isc.org IN      TXT
      10 isc.org IN      ANY
      10 cloudflare.com  IN      DNSKEY
       9 version.bind    CH      TXT
       9 ripe.net        IN      DNSKEY
       9 cloudflare.com  IN      ANY
       8 ripe.net        IN      TXT
       8 ripe.net        IN      ANY
       8 isc.org IN      DNSKEY
       8 cloudflare.com  IN      TXT
       6 vtb.com IN      ANY
       3 collectd.org    IN      ANY
       2 VERSION.BIND    CH      TXT
       2 hostname.bind   CH      TXT
       2 hbtbank.com     IN      TXT
       2 hbtbank.com     IN      ANY
       2 direct.shodan.io        IN      A

(That's a taste from the past 24 hours.)

It can't answer any of those questions, and properly enough given that it 
recurses, answers NXDOMAIN. For completeness, you get essentially the 
same answer if you ask +norecurse. But the mote in my eye is the AUTHORITY 
section, which contains a referral to root (".") which references this 
server, not the canonical roots. Mockapetris can holster his sidearm, 
because this server is not part of The DNS.

However if I ask one of ISC's nameservers (ns1.isc.org) running BIND 
9.18.38 according to version.bind for something which it is not 
authoritative for it answers REFUSED, with no referral in AUTHORITY. I'd 
like to be able to do that.

# dig @ns1.isc.org . TXT +norecurse

; <<>> DiG 9.12.3-P1 <<>> @ns1.isc.org . TXT +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21168
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8aef89922fc3d6b60100000068bc7b689f633c48a5f93945 (good)
;; QUESTION SECTION:
;.                              IN      TXT

;; Query time: 35 msec
;; SERVER: 149.20.2.26#53(149.20.2.26)
;; WHEN: Sat Sep 06 11:20:24 PDT 2025
;; MSG SIZE  rcvd: 56

It would be nice if I could achieve this behavior, IN CASE someone else 
running a server for this purpose intentionally or inadvertently put it in 
The DNS (tree). Just so Mockapetris doesn't come gunning for them.

It seems as though somehow that behavior is implicit in allowing / 
disallowing recursion by the server. I could modify the code and recompile 
so that it answered everything "AA"; in fact I'd be pleased if this server 
straight up lied and claimed to be authoritative for all of the domains it 
legitimately queries, just saying. I don't know if I'd have to do some 
additional work to get it to answer REFUSED.

It occurred to me that RPZ would be an option; but the RPZ implementation 
has no option to return REFUSED.

Am I missing something?

--

Fred Morris, internet plumber

More information about the bind-users mailing list