How to prevent Bind from responding to spoofed IP addresses?

This isn't a problem you should be trying to solve at the service layer.

  • Don't allow off-net traffic to make inbound requests to your DNS listeners.
  • Perform source address validation of packets generated by your customers (if applicable). This prevents amplification attacks originating from inside of your network.

These problems are rooted in the design of the network topology sitting in front of you. It is a losing battle to try and address these issues from the server itself.


The comments in the configuration excerpt in the question refer to your servers answering authoritatively for some zones. For a scenario where the attacker abuses an authoritative server it would make sense to configure Response Rate Limiting to mitigate this.

In the case of attacks abusing a server with recursion enabled, however, locking down recursion access to your own network in combination with ingress filtering is the best way to stop this. (As suggested by @Andrew-B.)

Regarding BIND specifically it's essential to understand how the different allow-* configuration directives interact when you override one of more of them (without that understanding it's not that obvious how, for instance, overriding allow-query affects other directives such as allow-recursion).


There are a number of approaches you can take. You may want to combine them.

  • Use split DNS configure the external zone to reject recursion. Split DNS will allow you to provide an non-recursive authoritative DNS server externally, and a full functioning recursive DNS server internally. Consider logging the failed requests.
  • Block unwanted networks from sending requests to your servers. (Port 53 UDP and TCP.) This can be done at the external firewall or, on some systems including Debian, the server's firewall. Consider limiting the the CIDRs that can query your server to those it should support.
  • Use fail2ban to dynamically block requesting networks.

From your question it appears you have a number of computers infected with botnet software. It is important you identify and cleanse these systems. That is beyond the scope of this question. If your routers support it, consider limiting the IP addresses which can originate requests.