Query on the Overload control mechanism for DNS Server

Ram Kishore B ramkishore.b at gmail.com
Sun Apr 30 13:52:31 UTC 2017 

Thanks for the quick response.



Is it possible to rate limit the number of packets per second to allow for
a specific iptables rule especially of *UDP*? If yes, our partial
requirement will be sufficed.



Only difficulty I can think at the moment of using this rule is, the peers
will not be indicated with any response which can make them retry.

Otherwise having the rate limit in Bind incoming phase will provide the
flexibility of responding with specific error code to let the peer
understand the situation.




Thanks,
Kishore
97 424 424 19

On Sun, Apr 30, 2017 at 6:42 PM, Sebastian Büttner <sebastian at bueddl.de>
wrote:

> Hi,
>
> is there any reason for what you are not performing this rate limiting
> using some firewall like iptables/netfilter?
>
> You could limit the incoming requests at this point with ease and the
> nameserver would never get in touch with dropped requests thus not waste
> cpu time.
> Also this approach allows for a dedicated firewall device (for example a
> simple hardware also running linux+iptables or unix+bpf).
>
>   Sebastian
>
> On 2017-04-30 15:04, ramkishore.b at gmail.com wrote:
>
>> Hi,
>> To protect the DNS server from overload, is there any feature already
>> part of Bind software(Or can be achieved with any configuration
>> changes) which can be enabled/disabled.
>> I came across relevant feature called response rate limit(rrl)
>> documentation, and it looks like it is mostly useful while taking the
>> decision at the time of response transmission after the handling of
>> incoming request.
>> Correct me if I am wrong here.
>>
>> But What I am looking for a feature which calculates the incoming rate
>> and rejects the messages above certain limit at the initial stage
>> itself before handling them and dropping. So that no resource
>> utilization processing will be wasted.
>> This type of mechanism will be very much useful in defining the
>> benchmark limit for any particular server based on its CPU and
>> resources utilization.
>>
>> The Bind version we currently use is Bind 9.11.
>>
>> Any expertise inputs are very much appreciated. Thanks.
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170430/92426e47/attachment.html>

More information about the bind-users mailing list