Finer control over REFUSED, e.g. root referrals
Dan Mahoney
danm at prime.gushi.org
Sat Sep 6 21:08:58 UTC 2025
> On Sep 6, 2025, at 11:27, Fred Morris <m3047 at m3047.net> wrote:
>
> So I have a BIND server which is publicly exposed, but which is not referenced from the canonical tree we call "The DNS". It serves as a firewall / DNS "WAF" for resources which it recurses to obtain.
Hey Fred,
If you have a service on port 53, people will find it and will throw queries againt it, and they do not care if it does recursion or not. They might not even care if there’s a service there or not.
Many times, these will be from spoofed IPs where they do not care about the query, they just want to send more traffic to a place. This is especially common with ANY queries.
isc.org is a popular zone for redirection attacks because the response to an ANY query are pretty big, so make a nice payload to abuse someone else with.
You have not told us the actual outputs of these queries (do you know if you’re returning refused or not?), nor have you said if your server is somewhere inside gsu.edu, which might account for the large number of queries there, if you have clients that exist under that bailiwick.
-Dan
More information about the bind-users
mailing list