So I have a BIND server which is publicly exposed, but which is not
referenced from the canonical tree we call "The DNS". It serves as a
firewall / DNS "WAF" for resources which it recurses to obtain.
People (bad, misinformed people) issue queries to it, for things which it
is not intended or capable of answering: it is not a general-purpose
recursing resolver:
# perl -ne 'm/query: (\S+) (\S+) (\S+)/ && printf "%s\n", join( "\t", $1,
$2, $3);' bind-queries.log | sort | uniq -c | sort -rnk1 | grep -vE '^ +1
'
1912 gsu.edu IN ANY
13 sl IN ANY
10 isc.org IN TXT
10 isc.org IN ANY
10 cloudflare.com IN DNSKEY
9 version.bind CH TXT
9 ripe.net IN DNSKEY
9 cloudflare.com IN ANY
8 ripe.net IN TXT
8 ripe.net IN ANY
8 isc.org IN DNSKEY
8 cloudflare.com IN TXT
6 vtb.com IN ANY
3 collectd.org IN ANY
2 VERSION.BIND CH TXT
2 hostname.bind CH TXT
2 hbtbank.com IN TXT
2 hbtbank.com IN ANY
2 direct.shodan.io IN A
(That's a taste from the past 24 hours.)
It can't answer any of those questions, and properly enough given that it
recurses, answers NXDOMAIN. For completeness, you get essentially the
same answer if you ask +norecurse. But the mote in my eye is the AUTHORITY
section, which contains a referral to root (".") which references this
server, not the canonical roots. Mockapetris can holster his sidearm,
because this server is not part of The DNS.
However if I ask one of ISC's nameservers (ns1.isc.org) running BIND
9.18.38 according to version.bind for something which it is not
authoritative for it answers REFUSED, with no referral in AUTHORITY. I'd
like to be able to do that.
# dig @ns1.isc.org . TXT +norecurse
; <<>> DiG 9.12.3-P1 <<>> @ns1.isc.org . TXT +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21168
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8aef89922fc3d6b60100000068bc7b689f633c48a5f93945 (good)
;; QUESTION SECTION:
;. IN TXT
;; Query time: 35 msec
;; SERVER: 149.20.2.26#53(149.20.2.26)
;; WHEN: Sat Sep 06 11:20:24 PDT 2025
;; MSG SIZE rcvd: 56
It would be nice if I could achieve this behavior, IN CASE someone else
running a server for this purpose intentionally or inadvertently put it in
The DNS (tree). Just so Mockapetris doesn't come gunning for them.
It seems as though somehow that behavior is implicit in allowing /
disallowing recursion by the server. I could modify the code and recompile
so that it answered everything "AA"; in fact I'd be pleased if this server
straight up lied and claimed to be authoritative for all of the domains it
legitimately queries, just saying. I don't know if I'd have to do some
additional work to get it to answer REFUSED.
It occurred to me that RPZ would be an option; but the RPZ implementation
has no option to return REFUSED.
Am I missing something?
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
