DNS queries limitation by host ?

Ladislav Vobr lvobr at ies.etisalat.ae
Sun Aug 22 03:32:12 UTC 2004 

> You obviously haven't understood what I posted. A firewall doesn't
> only completely block unwanted traffic. Some firewalls *do* provide
> rate limiting. As, of course, do routers.

	hmm, perhaps you haven't understood what I posted as well, and I see 
you reply is very general one, have you ever try to do such a thing? I 
have not said that rate limiting is not in the firewalls or routers, I 
was talking about dynamic rate limiting, not that for example I will 
preconfigure in my router firewall that user from 1.2.3.4 can not exceed 
256kbs. Can you imagine router config when you have around 4 class B for 
your customers and each of them might flood you :-) ? Restricting total 
traffic for them doesn't help at all, preconfiguring **each** of them 
(let's say /32) in the router config, are you really suggesting this?

Most of the fw/routers don't support dynamic rate limiting, and many 
developers know it and their applications implement it, since it is a 
must today for big public environements.

> 
>     Ladislav> Customers doing what they want, if bind can rate limit
>     Ladislav> them, they will ofcourse re-evaluate their behaviour,
>     Ladislav> because they will be forced to do it. 
> 
> This is nonsense. First of all, the customers are probably not "doing
> what they want". They're most likely doing what their ISP told them to
> do a long time ago. Presumably neither the ISP or the customer at that
> time had a clue about DNS operations and the pointless stupidity of

	We never advise customers to do it, however imho they feel more secure 
configuring their firewalls with dns udp traffic to their ISP only (us) 
not to all internet dns servers. UDP statefull firewall will help, but 
educating the customers, or make sure they upgrade and use it is 
completely different and long term task.

> How someone choses to configure rate limiting on their routers is up
> to them. In all likelihood, the excessive traffic will be coming from
> a small number of IP addresses, so it would be trivial to make the

	hmm, what is small for you, do you know that today almost everybody has 
at least isdn,dsl,cable ? Do you know that to fill the recursive-client 
queue on bind is a piece of cake even for analog dial-up user? Do you 
know, that bind doesn't even bother to log this or give you a hint why 
and who doing this?

> 
> PS: I said in my earlier posting that anyone who wanted to see rate
> limiting in BIND should feel free to contribute code. Since you seem
> to think rate limiting DNS queries is a desirable thing to do, go
> ahead. Implement it.

I am trying my best here to solve this, so far I don't have any solution 
only some kind of workaround, which I can not really offer, since it has 
lot of drawbacks, and myself I am not sure, if it's really good to do.

Ladislav

More information about the bind-users mailing list