On Sun, 5 Apr 2026, Alessandro Vesely wrote:
On Sun 05/Apr/2026 19:06:47 +0200 Grant Taylor wrote:
On 4/4/26 6:50 AM, Alessandro Vesely wrote:
yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM
UTC, from 4,287 different IPs. The top IP was
2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261
subdomains, e.g. serverselect.tana.it, nu.tana.it, ll.tana.it,
ghsms.tana.it, dragoner.tana.it, cinemathe.tana.it, bluefire.tana.it,
umk.tana.it, tyche.tana.it, tsvb.tana.it.
I'm not sure how to filter for sub-domains.
A response policy zone can do it:
*.TANA.IT CNAME rpz-drop.
I don't know what your operational environment is: authoritative,
recursive, two or two million domains, known clients or world+dog, etc.
There is dogma that authoritatives should never drop queries, seemingly in
the interests of DNS service providers (recursive and auth). As a small
auth operator if you know your clients (and their recursors) maybe you
just don't care. When I started dropping industrial quantities of this
garbage the overall volume decreased by literal orders of magnitude,
although it took a few months.
I see you've set up response rate limiting. Good.
You could do behavioral things, if you have behaviors you understand and
expect. I have good luck (not just with BIND, but with several publicly
exposed services / apps) with a combination of custom firewall logging, a
tailer that reads various logs (including e.g. BIND logs or dnstap) and
updates counters in Redis, and cron jobs which run frequently & read the
counters and write new logs tailored for fail2ban, along with some custom
fail2ban actions. Sounds complicated but in practice it's not. Off topic
for the BIND list and don't intend to put specific TTPs out here in public
but you're welcome to introduce yourself and we can discuss further
privately.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
