Recently I found out: DNS is a big bandwidth waster on my internet connection. Strange, isn’t it? DNS? So I started a network trace on my firewall: someone is abusing one of my DNS servers. I guess it’s a kind of malware using my DNS server, but I am not really sure. The domain was X99MOYU.NET belonging to a Chinese company called ZhuHai NaiSiNiKe.. Content of the website is not available (403, Access Denied).
My first idea was to reply with 127.0.0.1 as a DNS response. So I created a zone for this domain and added records. However they kept sending billions of queries.
Next step was: hiding my DNS server behind a Citrix NetScaler. Now all queries have to traverse my NetScaler. Easy like that: I created a DNS load balancing virtual server and my external IPs point there. Next step: Bind a responder policy to it.
I created a responder policy dropping all queries to domains not hosted in my environment. I did this using a NetScaler pattern-set (as pattern-sets are more efficient and easier to read than endless complex expressions combined with or like:
!DNS.REQ.QUESTION.DOMAIN.CONTAINS(“norz.at”) || !DNS.REQ.QUESTION.DOMAIN.CONTAINS(“norz.cc”) || …)
command line:
add policy patset MyDomains bind policy patset MyDomains norz.co -index 1 bind policy patset MyDomains norz.at -index 2 add responder policy res_pol_dns_invalid_request "!DNS.REQ.QUESTION.DOMAIN.CONTAINS_ANY(\"MyDomains\")" DROP
My pattern set is called MyDomains. So this policy will get applied (and drop the request) if the DNS query is for a server not contained in MyDomains.
MyDomains contains all domains I host like norz.at, norz.cc, …
Next problem: I opened up my load balancing vServer and wanted to bind a responder policy. Strange, no chance to bind a responder policy!
command line:
I had to go back to my policy, start the policy manager and bind it. Of course I could have bound it using command line as well 
bind lb vserver lb_vSvc_DNS -policyName res_pol_dns_invalid_request -priority 100 -gotoPriorityExpression END -type REQUEST
I hope you like it and would be glad to hear some commands about the subject …