[DNSfirewalls] A non RPZ DNS firewall question

Paul Vixie paul at redbarn.org
Sat Jul 30 00:35:40 UTC 2022

Francis Turner via DNSfirewalls wrote on 2022-07-29 16:52:
> At least I don’t think it’s an RPZ question because I don’t believe it 
> is part of the spec.


> Is it possible in Bind or other DNS servers to filter based on RRTYPE 
> e.g. always replying NXDOMAIN to TXT queries or for that matter to other 
> arbitrary TYPEXX queries?

not easily though it's common in load balancers (which are buggy).

nxdomain is about the name and can't depend on the type. yet:


> We have some customers who are seeing their 
> public recursive DNS servers being abused by queries of this sort. It’s 
> possibly DDOS, it’s possible DNS Tunnelling, it may be some other abuse 
> but either way they want it to stop – at least from certain users of 
> their servers. Unfortunately neither they, nor I, can think of a good 
> way to do this

i suggest posting a dnscap trace to dns-operations@ to get more eyes on it.

P Vixie

More information about the DNSfirewalls mailing list