Query on the Overload control mechanism for DNS Server
Sebastian Büttner
sebastian at bueddl.de
Sun Apr 30 14:03:04 UTC 2017
Hi Kishore,
you can indeed do so with iptables for example. Have a look at the
hashlimit or the limit module. They are both capable of limiting per
protocol, per dest or source ip and can be configured to trigger only
after reaching a burstlimit. You can enforce a udp packet rate which is
allowed per second per srcip for example to destination port 53:
iptables -I INPUT -m hashlimit -m udp-p udp –dport 53 –hashlimit 10/s
–hashlimit-mode srcip –hashlimit-name dns ...
Anyway, keep in mind that udp source ip might be spoofed (but then the
benchmarking this all is about would not apply anyways).
Sebastian
On 2017-04-30 15:52, Ram Kishore B wrote:
> Thanks for the quick response.
>
>
>
> Is it possible to rate limit the number of packets per second to allow
> for
> a specific iptables rule especially of *UDP*? If yes, our partial
> requirement will be sufficed.
>
>
>
> Only difficulty I can think at the moment of using this rule is, the
> peers
> will not be indicated with any response which can make them retry.
>
> Otherwise having the rate limit in Bind incoming phase will provide the
> flexibility of responding with specific error code to let the peer
> understand the situation.
>
>
>
>
> Thanks,
> Kishore
More information about the bind-users
mailing list