Dropping request packets

Jim Reid jim at rfc1035.com
Wed Apr 21 08:46:45 UTC 2004 

>>>>> "Weldon" == Weldon Goree <weldon at weldongoree.com> writes:

    Weldon> What BIND configuration do you know of that will prevent,
    Weldon> say, someone at 192.168.1.27 from running nslookup using
    Weldon> your nameserver?

There is nothing a name server or any firewall or router can do about
that. The only way of stopping someone/something running nslookup at
192.168.1.27 will be through some OS controls on that box.

    >> BIND has no way of rate-limiting inbound queries or TCP
    >> connections.  This is something a router or firewall does.

    Weldon> eh?

    Weldon> options {
    Weldon>    tcp-clients 750; 

This doesn't have any impact on rate limiting. It sets an upper bound
on the number of TCP clients at any given instant. Rate limiting
generally means setting a bound on the number of packets/connections
per unit of time, usually on a per-net or per-client basis. The above
hook in named.conf just says how may TCP clients the server can have.
It says nothing about the rate of those connections or which addresses
they come from. A client could be making 1M TCP connections per second
and if these could be set up and torn down in under a millisecond
(unlikely), the constraint you've set of no more than 750 connections
would not be exceeded.

    Weldon>    recursive-clients 25;

This deals with the number of *outbound* queries the name server makes
for resolving client lookups: no rate limiting there. It says nothing
about the number of inbound recursive queries the server gets. This
option just sets an upper bound on the number of internal data
structures the server can maintain to keep track of any resolutions
it performs.

    Weldon>    serial-queries 500; etc...  

This has nothing to do with rate limiting either. It sets an upper
bound on the number of SOA refresh queries that a slave server can
have outstanding. ie It's concerned with outbound traffic too. And
there's no time constraint. BIND9.3 has serial-query-rate to set the
number of SOA refresh queries the server can send every second.

    Weldon> I don't think I'm imagining those...

Indeed you're not imagining these. However you're imaging what they
get used for. Have you read the BIND9 ARM? Or do you consider the
documentation to be unclear?

More information about the bind-users mailing list