DNS queries limitation by host ?
Ladislav Vobr
lvobr at ies.etisalat.ae
Wed Aug 25 03:28:21 UTC 2004
> You need to remember that the DNS protocol is stateless. A nameserver
> considers each query on its own without regard to previous queries. The only
> information it saves in cache are responses to its own queries to other
> nameservers. To add rate limiting would require changes to store previous
> query information. It also requires a massive increase in memory to remember
> that information and well as longer lookup times while it checks for previous
> queries from the same source. You really want to do this? It's faster to
> just send back an answer to the query.
I believe there are dns products, which were designed with these points
in mind, bind is imho currently not. Don't you see that this kind of
traffic causing such problems is growing not lineary but almost
exponentially in today's public internet. Better logging will help,
since we can use external script to adjust the rules (be it firewall,
bogus, blackhole, iptables, ipfw) If bind itself doesn't give you a clue
what makes your recursive queue full, you really need sometimes a
crystal ball to find it out:-) If recursive bind doesn't tell you right
now I am flooding outside servers with hundered two hundered requests
for each *this particular client request* I received, again you are
blind, you can not blackhole it, you can not bogus it, you can not block
it....
Ladislav
More information about the bind-users
mailing list