<div dir="ltr"><div>You may want to investigate using dnsdist and some of the capabilities it has.</div><div><br></div><div>I'd suggest using something like "refused".</div><div>(Definitely not "servfail" as that will make the client retry repeatedly, making things worse.)</div><div>You could also simply drop the queries silently, I think, as long as you're fairly sure the sender is who they say they are.</div><div>(If you are in doubt, this is the poster child for using DNS cookies.)</div><div><br></div><div>Brian</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jul 29, 2022 at 4:52 PM Francis Turner via DNSfirewalls <<a href="mailto:dnsfirewalls@lists.redbarn.org">dnsfirewalls@lists.redbarn.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US" style="overflow-wrap: break-word;">
<div class="gmail-m_-6926093800689042185WordSection1">
<p class="MsoNormal">At least I don’t think it’s an RPZ question because I don’t believe it is part of the spec.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Is it possible in Bind or other DNS servers to filter based on RRTYPE e.g. always replying NXDOMAIN to TXT queries or for that matter to other arbitrary TYPEXX queries? We have some customers who are seeing their public recursive DNS servers
being abused by queries of this sort. It’s possibly DDOS, it’s possible DNS Tunnelling, it may be some other abuse but either way they want it to stop – at least from certain users of their servers. Unfortunately neither they, nor I, can think of a good way
to do this<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Francis<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:12pt;color:rgb(89,89,89)">Francis Turner
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="color:black">Threat STOP Global SE</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt;color:rgb(89,89,89)">JP Cell: +81-8080404701 | US Cell: +1-760-402-7676</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt;color:rgb(89,89,89)">Office: +1-760-542-1550 | Skype: francis.turner.threatstop<u></u><u></u></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt;color:black"><a href="mailto:francis@threatstop.com" target="_blank"><span style="color:rgb(5,99,193)">francis@threatstop.com</span></a> | </span><span style="color:black"><a href="http://www.threatstop.com/" target="_blank"><span style="font-size:12pt;color:rgb(0,112,192)">www.threatstop.com</span></a></span><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:12pt;color:rgb(89,89,89)">Weaponize Your Threat Intelligence</span></b><b><span style="font-size:12pt;color:black">
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="color:black">“If You Don’t Build It, They Definitely Will Not Come” – P. Vixie</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
DNSfirewalls mailing list<br>
<a href="mailto:DNSfirewalls@lists.redbarn.org" target="_blank">DNSfirewalls@lists.redbarn.org</a><br>
<a href="http://lists.redbarn.org/mailman/listinfo/dnsfirewalls" rel="noreferrer" target="_blank">http://lists.redbarn.org/mailman/listinfo/dnsfirewalls</a><br>
</blockquote></div></div>