A lot of queries from a customer.

Thu Jun 28 12:30:28 UTC 2012

> Hi,
>
> Recently, I have been watching on one DNS server a lot of queries from 
> a customer to ¨time-b.netgear.com¨  (Maybe a Netgear´s NTP server).
>
> About 1000 queries per minute.
>
> tail -f /var/log/bind9-query.log | grep time-b.netgear.com
>
> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.008 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: 
> time-b.netgear.com IN A + (10.1.xx.xx)
>
> tcpdump -i eth0 port 53 and host 186.14.xx.xx
>
> 12:54:28.375374 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? 
> time-b.netgear.com. (36)
> 12:54:28.375479 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? 
> time-b.netgear.com. (36)
> 12:54:28.375507 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? 
> time-b.netgear.com. (36)
> 12:54:28.375553 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A? 
> time-b.netgear.com. (36)
> 12:54:28.375638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A? 
> time-b.netgear.com. (36)
> 12:54:28.376424 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376525 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376807 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376845 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.376906 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.381638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A? 
> time-b.netgear.com. (36)
> 12:54:28.381693 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 62683+ A? 
> time-b.netgear.com. (36)
> 12:54:28.381745 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 50898+ A? 
> time-b.netgear.com. (36)
> 12:54:28.381869 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.382011 IP inter.net.ve.domain > 186.14.xx.xx.32770: 62683 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
> 12:54:28.382058 IP inter.net.ve.domain > 186.14.xx.xx.32770: 50898 
> 2/13/3 CNAME nsone.netgear.com., A 209.249.181.21 (343)
>
> I don´t find the ways to limit of queries per minutes on this customer
> Is it possible in Bind9 a filtering these queries, to limit the 
> responses ?
>
> Thank in advance,
>
> Below, I´ve attached my configuration
>
> OS: ubuntu 11.10
> Bind: 9.7.3.dfsg-1ubuntu4.1
>
> named.conf.options
>
> allow-recursion { corp; };
> allow-query-cache { corp; };
>
> corp : clients.
>
> allow-query { any; };
>         clients-per-query 10 ;
>         max-clients-per-query 20 ;
>         blackhole { bogusnets; };
>         version "I hope this is a joke !";
>         edns-udp-size 512;
>         max-udp-size 512;
>         recursive-clients 1000;
>   max-cache-size 500M;
>         tcp-clients 500;
>         max-cache-ttl 43200; # 12 Hours
>         max-ncache-ttl 900; # 15 min
>
> Saludos,
>
> Atentamente,
> Rafael J. Molina Q.
> www.inter.com.ve
>
>