Limit queries per IP address.

Joao Martins jrmartiz at gmail.com
Mon Apr 7 14:29:53 UTC 2008 

Thanks David.
That was what I expected.

regards, JM




On Tue, Mar 11, 2008 at 3:47 PM, David Nolan
<vitroth+ at cmu.edu<vitroth%2B at cmu.edu>>
wrote:

>
>
> --On Tuesday, March 11, 2008 14:07:11 +0000 João Martins
> <jrmartiz at gmail.com> wrote:
>
> > Do I have any option that limit the number of queries for each client or
> > specific network? The idea is limiting a number of queries that a user
> (or
> > IP address) can do by second or even by minute.
> >
>
>
> I don't believe there is a way to do this in BIND directly, however here
> are a couple tips that might help.
>
> If you can install host firewall rules, you may be able to use those to
> rate limit the queries.  For example, on a linux machine you could use:
> iptables -A INPUT -s $ipaddress -p udp --dport 53 -m limit --limit 3/s -j
> ACCEPT
> iptables -A INPUT -s $ipaddress -p udp --dport 53 -j DROP
>
> Note however that that might make things much worse from the client
> machine's perspective, as they'll just receive DNS timeouts, so I would
> only do something along this line in an extreme scenario.
>
> The approach we take at Carnegie Mellon for our heavy query client
> machines
> (mostly mail servers), is to provide dedicated DNS server addresses for
> those machines.  We don't provide dedicated server hardware, we just make
> those server addresses be secondary IP addresses on our normal pool of DNS
> servers.  For example:
>
> - Most client machines receive via DHCP two name servers, 10.0.0.10 and
> 10.0.0.11
> - High query server machines receive via DHCP (or static resolv.conf) two
> different dns server addresses, 10.0.0.13 and 10.0.0.14.
>
> But 10.0.0.13 and 10.0.0.10 are actually served by the same machine, with
> 10.0.0.13 being a secondary interface (eth0:1 for example)  (*).  Why does
> this help you might ask...  Because BIND processes queries from each of
> its
> interfaces in a round robin fashion.  So the heavy query load to 10.0.0.13
> will generate a large queue of requests on that interface, while the
> 10.0.0.10 interface will have a much smaller (or empty) queue of requests,
> and those requests will get processed equally with the large queue.
>
>
> (*):  Actually our setup is more complex then this.  The published
> recursive server addresses are actually served via a pool of servers via
> internal Anycast.  This allows for redundancy of  our dns servers, and
> horizontal scaling.
>
>
> -David Nolan
>  Network Systems Engineer
>  Computing Services
>  Carnegie Mellon University
>
>
>

More information about the bind-users mailing list