reject invalid dns queries

Daniel Dawalibi daniel.dawalibi at idm.net.lb
Mon Jan 19 14:14:46 UTC 2015 

Hello

Invalid DNS queries : non-existent domains that do not resolve to any IP as mentioned in the below example.
We are trying to protect our DNS servers from a number of invalid dns queries targeting our caching server and originated from different source IPs. Is there any way to drop these requests based on the Query Access list from the DNS configuration file (named.conf)? 


Example:

Default Server:  google-public-dns-a.google.com
Address:  DNS IP

> invaliddnsqueries.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** DNS IP can't find invaliddnsqueries.com: Non-existent domain


DNS query logs:

19-Jan-2015 15:44:08.519 queries: client IP#49791 (invaliddnsqueries.com): view zones: query: invaliddnsqueries.com IN A + (DNS IP)
19-Jan-2015 15:45:00.214 queries: client IP#49791 (invaliddnsqueries.com): view zones: query: invaliddnsqueries.com IN A + (DNS IP)
19-Jan-2015 15:46:08.100 queries: client IP#49791 (invaliddnsqueries.com): view zones: query: invaliddnsqueries.com IN A + (DNS IP)


Regards
Daniel
-----Original Message-----
From: Warren Kumari [mailto:warren at kumari.net] 
Sent: Wednesday, January 14, 2015 11:31 PM
To: Daniel Dawalibi
Cc: bind-users at lists.isc.org
Subject: Re: reject invalid dns queries

Perhaps if you explained a little more clearly what you are trying to accomplish you might get more replies...
What are "invalid DNS queries"? What are they in the configuration?



On Wed, Jan 14, 2015 at 5:53 AM, Daniel Dawalibi <daniel.dawalibi at idm.net.lb> wrote:
> Hello,
>
>
>
>
>
> Is there any solution to drop the invalid DNS queries from the BIND 
> configuration?
>
>
>
>
>
>
>
> Regards
>
> Daniel
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

More information about the bind-users mailing list