Maintained by: NLnet Labs

[Unbound-users] how to filter/reject incoming requests for invalid qdomain?

Gábor Lénárt
Mon Sep 17 11:10:29 CEST 2012


Hi All,

I use unbound as recursive name server. However (it seems) some broken
clients sends "odd" requests what - IMHO - unbound should reject at the
first place.  But instead it tries to resolve anyway and administrators of
the given authoritative nameservers complaining that I bomb them with
invalid requests what I should (according to them) stop ASAP.  What they say
(only two examples for now):

Received a malformed qdomain from xx.yy.zz.ww, 'http://BLAH.SOME.DOMAIN': sending servfail
Received a malformed qdomain from xx.yy.zz.ww, 'máig.SOME.DOMAIN': sending servfail

This is from an authoritative nameserver which is responsible for
zone "SOME.DOMAIN". Afaik this is a PowerDNS, but it's not my server at all
(xx.yy.zz.ww is my unbound). The second example is even more interesting
as it sends "á" in the request (in the log file I was sent to, it's UTF-8 char,
I guess this should be sent as puny coded, if it's IDN thing). The first
example is "funny" as well, sending an URL instead of only the name.

For sure, the best solution would be locating the clients sending these
abnormal requests however it's a bit hopeless as there are hundreds of IPs
using my unbound and also I'd like to be sure it won't happen again, that's
why I'd like to reject them by my unbound (also it would help not to try
to do a recursive resolving process: not wasting my resources on the unbound
server).

What I (and the admins of that server) would like is to reject these kind of
requests by unbound itself, instead of try to resolve with contacting the
authoritative nameservers.

The issue is serious for me, as administrators of various authoritative name
servers started to filter out my unbound because of getting "too much
garbage" from it.

This is unbound 1.4.17.

Please help me: how can I configure this?

Thanks for any help/advice in advance,

- Gábor