DNS queries limitation by host ?
Ladislav Vobr
lvobr at ies.etisalat.ae
Sun Aug 22 03:32:12 UTC 2004
> You obviously haven't understood what I posted. A firewall doesn't
> only completely block unwanted traffic. Some firewalls *do* provide
> rate limiting. As, of course, do routers.
hmm, perhaps you haven't understood what I posted as well, and I see
you reply is very general one, have you ever try to do such a thing? I
have not said that rate limiting is not in the firewalls or routers, I
was talking about dynamic rate limiting, not that for example I will
preconfigure in my router firewall that user from 1.2.3.4 can not exceed
256kbs. Can you imagine router config when you have around 4 class B for
your customers and each of them might flood you :-) ? Restricting total
traffic for them doesn't help at all, preconfiguring **each** of them
(let's say /32) in the router config, are you really suggesting this?
Most of the fw/routers don't support dynamic rate limiting, and many
developers know it and their applications implement it, since it is a
must today for big public environements.
>
> Ladislav> Customers doing what they want, if bind can rate limit
> Ladislav> them, they will ofcourse re-evaluate their behaviour,
> Ladislav> because they will be forced to do it.
>
> This is nonsense. First of all, the customers are probably not "doing
> what they want". They're most likely doing what their ISP told them to
> do a long time ago. Presumably neither the ISP or the customer at that
> time had a clue about DNS operations and the pointless stupidity of
We never advise customers to do it, however imho they feel more secure
configuring their firewalls with dns udp traffic to their ISP only (us)
not to all internet dns servers. UDP statefull firewall will help, but
educating the customers, or make sure they upgrade and use it is
completely different and long term task.
> How someone choses to configure rate limiting on their routers is up
> to them. In all likelihood, the excessive traffic will be coming from
> a small number of IP addresses, so it would be trivial to make the
hmm, what is small for you, do you know that today almost everybody has
at least isdn,dsl,cable ? Do you know that to fill the recursive-client
queue on bind is a piece of cake even for analog dial-up user? Do you
know, that bind doesn't even bother to log this or give you a hint why
and who doing this?
>
> PS: I said in my earlier posting that anyone who wanted to see rate
> limiting in BIND should feel free to contribute code. Since you seem
> to think rate limiting DNS queries is a desirable thing to do, go
> ahead. Implement it.
I am trying my best here to solve this, so far I don't have any solution
only some kind of workaround, which I can not really offer, since it has
lot of drawbacks, and myself I am not sure, if it's really good to do.
Ladislav
More information about the bind-users
mailing list