You can’t do that with authoritative nameservers, by definition they answer queries from anyone (except possibly for blacklists and rate limiting).
Also, “only answer” can mean several things, from dropping the packets, to refusing the query, to answering with a referral to the gTLD servers. If you did it in the nameserver config, they are probably refusing the query. Typically that won’t provide amplification, but it will create bidirectional traffic. And if you are the target of the DDoS, not just being used for amplification, there’s not much you can do other than absorb the traffic or get it stopped upstream of you. From: Bill Prince via Af Sent: Wednesday, December 24, 2014 11:06 AM To: [email protected] Subject: Re: [AFMUG] Is this what a dDOS attack looks like? We restrict our DNS servers to only answer to IPs within our own subnets. Not only are they "within the US", they would pretty much be within our county. -- bp <part {dash} 15 {at} SkylineBroadbandService {dot} com> On 12/24/2014 8:59 AM, Tyson Burris @ Internet Communications Inc via Af wrote: Our DNS servers have been hit all week long. Yesterday, was the first time I saw some coming from within the US. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:[email protected]] On Behalf Of Bill Prince via Af Sent: Wednesday, December 24, 2014 11:14 AM To: Motorola III Subject: [AFMUG] Is this what a dDOS attack looks like? One of our routers showed a massive increase in traffic last night around 19:15 Pacific time (see below). It didn't crash, but got super busy during that time, and appeared to be "locked up". Nothing shows in the logs, but a segment of our network appeared to be unavailable for a few minutes. By the time I figured out what was going on, the traffic "went away". -- --bp<part {dash} 15 {at} SkylineBroadbandService {dot} com>
