Your IP may unfortunately be inside a CIDR block that largely does nothing but spam my infrastructure with script kiddie tomfoolery. Firewall rules apply to my authoritative DNS servers as well.

Edit: If you would like me to whitelist it, DM me your IP and I'll add a narrow exception.

[–] WhyJiffie@sh.itjust.works 2 points 4 days ago (2 children)

but I don't run a recursive resolver, I use quad9 as upstream. Shouldn't they return a response even if I was blocked?

dig confirms with EDNS extensions that the response is coming from quad9. the error says "no reachable authority" so it must be at least partly what you say, but I think you ended up blocking a DNS provider.

[–] ptz@dubvee.org 1 points 3 days ago (1 children)

FYI: I moved the allow rule for DNS to the top of the chain, so that should fix problems with DNS providers not being able to reach the authoritative name servers.

[–] WhyJiffie@sh.itjust.works 2 points 3 days ago

thanks, it seems it worked! the post image now loads fine

[–] ptz@dubvee.org 3 points 4 days ago* (last edited 3 days ago)

Ugh. Thanks. It's quite possible, though maybe just a regional one? I did inadvertently block one of the IPs Let's Encrypt uses for secondary validation, so this may be another case of that.

I get a shitload of bad traffic from the southeast Asia area (mostly Philippines/Singapore AWS) and have taken to blanket blocking their whole routes rather than constantly playing whack-a-mole. Fail2ban only goes so far for case-by-case.

Here's the image from the meme from an alternate source: