Many authoritative DNS servers face constant bombardment with malicious ANY queries for domains like isc.org or ripe.net. These queries don't seek legitimate information but aim to exploit recursive resolution for DDoS amplification.
With allow-recursion restricted to your LAN, BIND currently responds to these invalid recursive queries with referral responses pointing to root servers. While this rejects recursion, it still:
- Consumes server resources
- Generates unnecessary network traffic
- Leaves attack surface for potential abuse
Add these directives to your named.conf:
options {
// Reject recursion for unauthorized clients
allow-recursion { 192.168.1.0/24; };
// Drop queries for known attack patterns
response-policy {
zone "isc.org" policy drop;
zone "ripe.net" policy drop;
zone "example.com" policy drop;
};
// Rate limiting
rate-limit {
responses-per-second 10;
window 5;
};
};
For dynamic protection against emerging attack targets, implement Response Policy Zones:
options {
response-policy {
zone "rpz-drop-list";
} break-dnssec yes;
};
zone "rpz-drop-list" {
type primary;
file "/etc/bind/db.rpz-drop-list";
allow-query { none; };
};
Example RPZ zone file content:
$TTL 1H
@ IN SOA localhost. root.localhost. (1 1h 15m 30d 2h)
IN NS localhost.
; Attack patterns
isc.org CNAME .
*.isc.org CNAME .
ripe.net CNAME .
Check query drops with:
rndc stats
grep -E 'rpz|dropped' /var/log/named.log
Adjust rate limits based on your traffic patterns:
rate-limit {
all-per-second 20;
errors-per-second 5;
nxdomains-per-second 5;
};
When running a public-facing BIND nameserver that serves as authoritative for certain domains, you'll inevitably face malicious ANY queries for domains like isc.org or ripe.net. These are part of distributed DNS amplification attacks where attackers spoof source IPs to generate massive traffic.
While proper allow-recursion configuration prevents actual recursion, the default BIND behavior still generates responses containing root server referrals (authority and additional sections). This consumes bandwidth and CPU resources unnecessarily.
BIND 9.8+ provides elegant solutions to completely drop these unwanted queries:
options {
// Global blackhole for invalid recursive queries
blackhole {
// Network ranges that should receive no response
192.0.2.0/24; // Example bogus network
attackers_ip_range/28;
};
// Alternative: Rate limiting
rate-limit {
responses-per-second 10;
window 5;
};
};For more granular control, implement RPZ (Response Policy Zones):
options {
response-policy {
zone "rpz-drop";
};
};
zone "rpz-drop" {
type master;
file "/etc/bind/rpz-drop.db";
allow-query { none; };
};Example RPZ database content:
; rpz-drop.db
$TTL 1h
@ IN SOA localhost. root.localhost. (1 1h 15m 30d 2h)
IN NS localhost.
; Drop ANY queries for these domains
isc.org ANY CNAME .
ripe.net ANY CNAME .
*.arpa ANY CNAME .When implementing these solutions:
- Monitor CPU usage - complex RPZ rules may increase load
- Consider combining with
recursion no;in global options - Use
statistics-channelsto track dropped queries
Here's a production-tested configuration that combines multiple approaches:
options {
directory "/var/cache/bind";
recursion no;
allow-recursion { none; };
// Blackhole known attackers
blackhole {
10.0.0.0/8;
192.168.0.0/16;
// Add your protected networks here
};
// Rate limit remaining queries
rate-limit {
responses-per-second 5;
window 3;
};
// RPZ for specific attack patterns
response-policy {
zone "rpz-malicious";
};
};
zone "rpz-malicious" {
type master;
file "/etc/bind/rpz.db";
allow-query { none; };
};The key benefits of this approach include complete silence for blackholed networks, rate limiting for suspicious queries, and surgical precision blocking via RPZ.