I've been trying to block ANY queries in my BIND server with no success. I followed this post Block ANY request in Bind which says that I can use minimal-responses but it doesn't work.
None of the answers fit my current configuration.
view world {
match-clients { world-clients; };
allow-recursion { none; };
recursion no;
allow-transfer { key XXXXXX; };
minimal-responses yes;
forwarders { };
include "/etc/bind/world.conf";
};
you may use iptables with --hex-string option for any type record.
This is DROP THE "ANY" REQUEST BASED ON COUNTER DEFIEND
-A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 -m recent --set --name dnsanyquery --rsource
-A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 -m recent --rcheck --seconds 60 --hitcount 4 --name dnsanyquery --rsource -j DROP
Did you read Andrew B.'s answer? He states that "there is no configuration option for dropping all queries of type ANY." The option minimal-responses helps in limiting attacks but you should start with response rate limiting as hspaans mentions in his answer.
The option minimal-responses will not block queries of type ANY but will limit the responses so as to make them less beneficial in amplification attacks.
What is in "world.conf"? Is it possible that you are testing it from localhost or you private network? This would explain why it works for you even though you followed the guide correctly.
