query limits
Kevin Darcy
kcd at daimlerchrysler.com
Fri Mar 4 00:06:15 UTC 2005
Jim Reid wrote:
>>>>>>"Kris" == Kris Voelker <fritz at htc.net> writes:
>>>>>>
>>>>>>
>
> Kris> Is there a way to control/limit the number of queries that
> Kris> can be made by a specific IP?
>
>Yes. That's why firewalls and routers were invented.
>
Jim,
I believe we've talked about this in the past, and I thought the
concensus from those discussions was that it would be nice if BIND had
some controls in this area. Routers and firewalls simply don't know --
can't know -- with precision the impact that queries have on a
nameserver instance. It might be useful, for instance, to apply
different rate-limits to recursive versus non-recursive queries,
zone-transfers versus normal queries, etc. If and when DNSSEC ever gets
off the ground, it might be useful to have a separate rate-limit for
queries and/or responses which require a lot of cryptographic processing.
I think that anyone who really cares about this should submit a feature
request to ISC for it.
- Kevin
More information about the bind-users
mailing list