Is there a way to avoid miscreants?

[Alessandro Vesely]

Oops, this should've left days ago...

Thanks, that's the kind of thing I'm looking for.

I had recursion no and my rate-limit was way too high (10), probably because I 
misunderstood how it works.  empty-zones-enable is still somewhat obscure, but 
I'll try it.

Best
Ale


On Sat 04/Apr/2026 23:03:36 +0200 Nick Tait via bind-users wrote:
> Hi Alessandro.
> 
> Not sure if this helps, but these are the options that I’ve added to my external authoritative view to harden it:
> 
>          recursion no;
>          allow-recursion { none; };
>          max-cache-size 2m;
>          empty-zones-enable no;
>          rate-limit {
>                  responses-per-second 5;
>                  window 5;
>          };
> 
> Nick.
> 
>> On 5 Apr 2026, at 5:34 AM, Mike <debian at good-with-numbers.com> wrote:
>> 
>> Alessandro Vesely wrote:
>>> yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM
>>> UTC, from 4,287 different IPs.  The top IP was
>>> 2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261
>>> subdomains
>> 
>>> Are there any I should enable?
>> 
>> Probably.  What's available depends on your firewall.
>> 
>> Nftables can do rate limiting to the port, regardless of source IP, though
>> that would affect legitimate traffic, too.  Rate limiting by source IP
>> block looks like it would help a lot, too, in this case.
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.