DNS queries limitation by host ?
Ladislav Vobr
lvobr at ies.etisalat.ae
Sat Aug 21 06:54:27 UTC 2004
Jim Reid wrote:
> Nicolas> I d like to know if it s possible to do restrictions by
> Nicolas> ip... for instance, to limit 100 requests/sec for a
> Nicolas> special host/ip....
>
> Nicolas> Do bind 8 do this ? Bind 9 ?
>
> BIND has no hooks for this sort of thing. Feel free to contribute
> code... Rate limiting is probably best handled by a router or
> firewall in front of the name server. Perhaps you could do that?
firewall will limit only total traffic or static clients (you have to
configure in source ip), it will not dynamically limit each random
customer. It means basically that the service will be non-responsive for
all, if the total traffic is exceeded.
The rate limiting per customer or per ip is basic thing that already
many applications are using, apache, sendmail, sunone, iplanet... have
you noticed it ?
> I'd also recommend that you get your customers to reconfigure their
> name servers so they resolve stuff for themselves instead of
> forwarding queries to your name server. That forwarding server that
> sends 1200qps is anti-social and probably broken. It might be helpful
> to find out why it's generating so much traffic. Even better would be
> putting a stop to that much traffic. :-)
Customers doing what they want, if bind can rate limit them, they will
ofcourse re-evaluate their behaviour, because they will be forced to do
it. Since bind doesn't care about it, nobody cares, saying that router
will solve it? Will the router ensure that *each* *random* customer will
have let's say bw for 20/req per second and not more, just think about it.
Ladislav
More information about the bind-users
mailing list