DNS queries limitation by host ?

[Ladislav Vobr]

> You need to remember that the DNS protocol is stateless. A nameserver
> considers each query on its own without regard to previous queries. The only
> information it saves in cache are responses to its own queries to other
> nameservers. To add rate limiting would require changes to store previous
> query information. It also requires a massive increase in memory to remember
> that information and well as longer lookup times while it checks for previous
> queries from the same source. You really want to do this? It's faster to
> just send back an answer to the query.

I believe there are dns products, which were designed with these points 
in mind, bind is imho currently not. Don't you see that this kind of 
traffic causing such problems is growing not lineary but almost 
exponentially in today's public internet. Better logging will help, 
since we can use external script to adjust the rules (be it firewall, 
bogus, blackhole, iptables, ipfw) If bind itself doesn't give you a clue 
what makes your recursive queue full, you really need sometimes a 
crystal ball to find it out:-) If recursive bind doesn't tell you right 
now I am flooding outside servers with hundered two hundered requests 
for each *this particular client request* I received, again you are 
blind, you can not blackhole it, you can not bogus it, you can not block 
it....

Ladislav