Drop non-hosted zone query

[RinCat]

Since there are more DNS amplification attacks nowadays, is there a way drop all queries that are not hosted? nsd is authoritative DNS name server, I do not want people running scan and found a open 53 port then send random queries to NS. All those queries should be illegal.

[wcawijngaards]

NSD does not have this feature. You can drop updates with a config option in nsd.conf, but that is only dynamic updates.

Unbound has the feature where you can select to drop queries based on the query name with local-zone statements in unbound.conf. You would then need a local-zone to drop other queries (for name "."), and local-zone statements for all of the hosted zones to allow them with transparent.