<div dir="ltr">Thanks for the info. Also I'll have to note that I completely missed that the "offending IP" is one of the .uk root servers so the next logical conclusion is I've probably got a box in one of my environments driving an amplification attack of some sort or something at those IPs that I need to figure out. Sorry for the bother and thanks for the feedback. Much appreciated.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 8, 2016 at 10:51 AM, Ray Bellis <span dir="ltr"><<a href="mailto:ray@isc.org" target="_blank">ray@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 08/08/2016 18:43, Darcy Kevin (FCA) wrote:<br>
> As already noted, allow-query will cause you to send back a REFUSED<br>
> response. That’s sort of the whole point of the REFUSED RCODE.<br>
><br>
><br>
><br>
</span>> If you want to not send back any response **whatsoever**, then take a<br>
<span class="">> look at the “blackhole” statement, but, honestly, this kind of “drop”<br>
> function may, depending on network topology, be more efficiently<br>
> performed in your firewall or IDS/IPS.<br>
><br>
><br>
><br>
> Be aware that a client that doesn’t get a response may retry the query,<br>
> so simply “dropping” queries may ultimately prove counter-productive.<br>
<br>
</span>and also see Mark Andrew's Internet Draft on this very topic:<br>
<br>
<a href="https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03" rel="noreferrer" target="_blank">https://tools.ietf.org/html/<wbr>draft-ietf-dnsop-no-response-<wbr>issue-03</a><br>
<br>
Ray<br>
<br>
______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>
</blockquote></div><br></div>