RPZ behavior for authoritative servers

[Chuck Aurora]

On 2019-10-23 18:14, Mik J via bind-users wrote:
Hi,

> I know that the RPZ functionality aims to block/redirect/log DNS
> queries from the inner network.
> 
> What about the authoritative DNS facing the Internet ?
> 
> I receive some spam, I get probed on my webservers etc.
> Many of these annoiyances start with a DNS query.
> 
> What is mydomain.org ? My DNS answers 1.2.3.4
> Then the annoyances starts on port 25 or 80 or 443...
> 
> So my question is this one.
> Is it possible to load a list of IP clients and/or networks that can
> be called the "zombie list"
> If a computer from the zombie list wants to resolve mydomain.org, my

Here is where you err.  You're assuming that you will know the source
of the query and be able to associate a certain query with an attack.
That's highly improbable.

Most [probably all] of these annoyances are malware running on
compromised machines.  Malware usually makes an effort to stay small,
and as such, it's likely to offload as much as it can to the system
libraries.  Name resolution is a good candidate for offloading.

The system library will send DNS queries to the nameserver[s] as
received from DHCP.  Those nameservers will do the recursion, and you
will see the queries coming from ISP resolvers and open resolvers like
Google's.

> DNS replies 127.0.0.1 or some IP that are allocated to an antartic
> network.
> Then, I never get annoyed.

Even if you DO correctly pin the query to the attack, you do NOT want
to poison Google's cache with misinformation.

Sorry.

Also, if you were to do something like this, please do NOT abuse real
IP address holders, especially not our .AQ friends.  I'm sure network
lag there is bad enough without us making it worse.

-CA