A lot of queries from a customer.

Drunkard Zhang gongfan193 at gmail.com
Tue Jul 17 15:15:17 UTC 2012 

2012/7/17 Fr34k <freaknetboy at yahoo.com>:
> We have been monitoring the same.
>
> Google found an unrelated, yet similar, issue a few years ago:
> http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC16
>
>
>> Hi,
>>
>> Recently, I have been watching on one DNS server a lot of queries from a
>> customer to ¨time-b.netgear.com¨  (Maybe a Netgear´s NTP server).
>>
>> About 1000 queries per minute.
>>
>> tail -f /var/log/bind9-query.log | grep time-b.netgear.com
>>
>> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.008 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>> 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query:
>> time-b.netgear.com IN A + (10.1.xx.xx)
>>
>> tcpdump -i eth0 port 53 and host 186.14.xx.xx
>>
>> 12:54:28.375374 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.375479 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.375507 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.375553 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 16150+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.375638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.376424 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376525 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376807 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376845 IP inter.net.ve.domain > 186.14.xx.xx.32770: 16150 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.376906 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.381638 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 44669+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.381693 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 62683+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.381745 IP 186.14.xx.xx.32770 > inter.net.ve.domain: 50898+ A?
>> time-b.netgear.com. (36)
>> 12:54:28.381869 IP inter.net.ve.domain > 186.14.xx.xx.32770: 44669 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.382011 IP inter.net.ve.domain > 186.14.xx.xx.32770: 62683 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>> 12:54:28.382058 IP inter.net.ve.domain > 186.14.xx.xx.32770: 50898 2/13/3
>> CNAME nsone.netgear.com., A 209.249.181.21 (343)
>>
>> I don´t find the ways to limit of queries per minutes on this customer
>> Is it possible in Bind9 a filtering these queries, to limit the responses
>> ?
>>

We use iptables doing this, which works fine for us:
iptables -A INPUT -p udp -m state --state NEW -m connlimit
--connlimit-upto 500 --connlimit-mask 32 --connlimit-saddr -m udp
--dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m connlimit
--connlimit-upto 200 --connlimit-mask 32 --connlimit-saddr -m tcp
--dport 53 -j ACCEPT

Hope it's useful for you ;)

>> Thank in advance,
>>
>> Below, I´ve attached my configuration
>>
>> OS: ubuntu 11.10
>> Bind: 9.7.3.dfsg-1ubuntu4.1
>>
>> named.conf.options
>>
>> allow-recursion { corp; };
>> allow-query-cache { corp; };
>>
>> corp : clients.
>>
>> allow-query { any; };
>>        clients-per-query 10 ;
>>        max-clients-per-query 20 ;
>>        blackhole { bogusnets; };
>>        version "I hope this is a joke !";
>>        edns-udp-size 512;
>>        max-udp-size 512;
>>        recursive-clients 1000;
>>  max-cache-size 500M;
>>        tcp-clients 500;
>>        max-cache-ttl 43200; # 12 Hours
>>        max-ncache-ttl 900; # 15 min
>>

More information about the bind-users mailing list