query limits

[Kevin Darcy]

Jim Reid wrote:

>>>>>>"Kris" == Kris Voelker <fritz at htc.net> writes:
>>>>>>            
>>>>>>
>
>    Kris> Is there a way to control/limit the number of queries that
>    Kris> can be made by a specific IP?  
>
>Yes. That's why firewalls and routers were invented.
>
Jim,
        I believe we've talked about this in the past, and I thought the 
concensus from those discussions was that it would be nice if BIND had 
some controls in this area. Routers and firewalls simply don't know -- 
can't know -- with precision the impact that queries have on a 
nameserver instance. It might be useful, for instance, to apply 
different rate-limits to recursive versus non-recursive queries, 
zone-transfers versus normal queries, etc. If and when DNSSEC ever gets 
off the ground, it might be useful to have a separate rate-limit for 
queries and/or responses which require a lot of cryptographic processing.

I think that anyone who really cares about this should submit a feature 
request to ISC for it.

                                                                         
                                             - Kevin