Finer control over REFUSED, e.g. root referrals

[Fred Morris]

Andrew, you've given me an intriguing idea!

On Sun, 7 Sep 2025, Andrew Pavlin wrote:
> 
> Personally, I would like an even finer control than what the allow-query 
> option allows. I too run an authoritative server, and it too is being 
> routinely used for DNS amplification attacks. Rather than returning a 
> REFUSED error (which still uses bandwidth on my link and the poor 
> victim's link), I would like to be able to configure my bind instance to 
> not respond AT ALL to _any_ domain queries for which I am not 
> authoritative or a "glue" server.

Have you got RPZ set up? I run two RPZs for access control, which are 
consulted sequentially. The first one is the allow list, the second is the 
block list (although there is no technical enforcement, just the rules 
which go into each): this is best practice.

I added

 	*.EDU CNAME rpz-drop.

to the block list. "dig @athena.m3047.net gsu.edu IN ANY" is dead air now.

That doesn't solve the issue of people asking for root (".") or (bare) edu 
and getting a "lie", but it does mitigate the issue of people asking for 
gsu.edu and getting a referral to root which is a lie.

That was what I thought would happen. Things were a little more 
interesting when I tried simply

 	* CNAME rpz-drop.

That did not stop the server from responding when asked for root. It 
stopped pretty much everything else which wasn't in the allow list.

The thing which was surprising is that it didn't stop queries for the 
(parent) zone which the server is authoritative for (I expected to have to 
add allow entries), which sounds like the behavior you desire without the 
hassle of creating allow list entries. Personally I need to do some more 
research before I'm comfortable with that.

I hope that helps, and thanks for the inspiration...

--

Fred Morris, internet plumber