A large number of "ANY" query type queries
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Mar 28 08:50:34 UTC 2012
On Wed, Mar 28, 2012 at 10:39:11AM +0200,
Anand Buddhdev <anandb at ripe.net> wrote
a message of 25 lines which said:
> It's probably better to rate-limit the address. You can do that on
> your server with iptables (Linux) or ipfw (*BSD) or on your router.
A possible solution for Linux' Netfilter (test it: it may have strange
effects when you have many different IP sources):
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
(Adjust the number to your case, doc is in iptables' man page)
You may also limit this rule to the offending IP address(es)
More information about the bind-users
mailing list