Is there a way to avoid miscreants?

[Fred Morris]

On Sun, 5 Apr 2026, Alessandro Vesely wrote:
> On Sun 05/Apr/2026 19:06:47 +0200 Grant Taylor wrote:
>>  On 4/4/26 6:50 AM, Alessandro Vesely wrote:
>>
>>>  yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM
>>>  UTC, from 4,287 different IPs.  The top IP was
>>>  2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261
>>>  subdomains, e.g. serverselect.tana.it,  nu.tana.it,  ll.tana.it,
>>>  ghsms.tana.it,  dragoner.tana.it,  cinemathe.tana.it,  bluefire.tana.it,
>>>  umk.tana.it,  tyche.tana.it,  tsvb.tana.it.
>>
>>  I'm not sure how to filter for sub-domains.

A response policy zone can do it:

     *.TANA.IT CNAME rpz-drop.

I don't know what your operational environment is: authoritative, 
recursive, two or two million domains, known clients or world+dog, etc. 
There is dogma that authoritatives should never drop queries, seemingly in 
the interests of DNS service providers (recursive and auth). As a small 
auth operator if you know your clients (and their recursors) maybe you 
just don't care. When I started dropping industrial quantities of this 
garbage the overall volume decreased by literal orders of magnitude, 
although it took a few months.

I see you've set up response rate limiting. Good.

You could do behavioral things, if you have behaviors you understand and 
expect. I have good luck (not just with BIND, but with several publicly 
exposed services / apps) with a combination of custom firewall logging, a 
tailer that reads various logs (including e.g. BIND logs or dnstap) and 
updates counters in Redis, and cron jobs which run frequently & read the 
counters and write new logs tailored for fail2ban, along with some custom 
fail2ban actions. Sounds complicated but in practice it's not. Off topic 
for the BIND list and don't intend to put specific TTPs out here in public 
but you're welcome to introduce yourself and we can discuss further 
privately.

--

Fred Morris, internet plumber