Millions of './ANY/IN' queries denied

[Matus UHLAR - fantomas]

>>> You don't understand what kind of blacklist I want; I want to blacklist the domain name
>>> being asked for, so I don't answer for it. I'm not looking to blacklist forged IP addresses
>>> of requestors (since we all know criminals don't use their own identities; they use the
>>> identities of innocent bystanders).
>>>
>>> Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not a rootserver, and never will be.

these answers are minimal, so the problem is made as small as possible.

>Reindl Harald <h.reindl at thelounge.net> writes:
>Am 16.12.21 um 14:22 schrieb Andrew P.:
>>AGAIN: you don't gain anything by not responding on a UDP protocol
>>because the client can't distinct no response and packet loss

On 16.12.21 13:56, Andrew P. wrote:
>AGAIN, the criminal DDoS attacker who's creating these forged requests
> isn't looking for replies to themselves; they're looking to abuse some
> poor victim.  And the victim can't make the attacker shut up.

I use fail2ban to block these, so while a few packets always pass, the rest
gets blocked.

>>so you *increase* the load by retries on the client
>
>No, the attacker is going to send their packets as often as they feel like
> it regardless of whether I answer, and they won't know if the load on the
> victim is sufficient to crush them (or if I am participating), since the
> attacker isn't receiving the attack.  They won't speed up on me just
> because I refuse to participate in their ugly little games because they
> won't know I'm not playing along (at least until they decide to attack
> _me_ instead of someone else).
>
>>don't get me wrong but you need to understand the implications of what
>>you are doing - for DOS attacks "Response Rate Limiting" was invented
>>and for non-DOS requests there isn't any valid reason to take action
>
>Please tell me what non-DOS requests would be asking _my_ name server to
> dump the root domain.  I'm not running a caching-only public nameserver
> (such as an ISP might run for their customers), so _no_ _one_ should be
> asking my nameserver for the entire root domain.  Even webcrawlers don't
> need to harrass non-root-nameservers for root domain information.
>
>Note I haven't done anything yet; I'm asking if there _is_ a way to do it
> presently implemented in Bind.

none I know so far.
I'd be glad if someone told me there's better way and what it is.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.