How to throttle misconfigured clients?
von Dein, Thomas
Thomas.vonDein at f-i-ts.de
Tue Mar 3 12:09:03 UTC 2020
Hello,
we're seeing a lot of malformed dns queries to our recursive nameservers like these:
06:38:32.733678 IP client.59003 > nameserver2.53: 21974+ AAAA? notification. (30)
06:38:32.734079 IP nameserver2.53 > client.59003: 21974 NXDomain 0/1/0 (105)
06:38:33.216732 IP client.59003 > nameserver2.53: 63187+ AAAA? antivirusix. (29)
06:38:33.218090 IP nameserver2.53 > client.59003: 63187 NXDomain 0/1/0 (104)
06:38:35.417973 IP client.59003 > nameserver2.53: 53861+ AAAA? kubeinspect. (29)
06:38:35.418420 IP nameserver2.53 > client.59003: 53861 NXDomain 0/1/0 (104)
06:38:37.729107 IP client.59003 > nameserver2.53: 11185+ AAAA? organization. (30)
06:38:37.729539 IP nameserver2.53 > client.59003: 11185 NXDomain 0/1/0 (105)
06:38:38.158519 IP client.59003 > nameserver2.53: 14657+ AAAA? history. (25)
06:38:38.158897 IP nameserver2.53 > client.59003: 14657 NXDomain 0/1/0 (100)
06:38:38.571983 IP client.59003 > nameserver2.53: 29269+ AAAA? go-kms. (24)
06:38:38.572437 IP nameserver2.53 > client.59003: 29269 NXDomain 0/1/0 (99)
Obviously these clients (there are many) are misconfigured in some weird way. But sometimes they send valid queries. So, what I'd like to do is to throttle them down somehow when they start to send these queries. And I only want to do this for clients in this specific source network, not for all.
The only idea I had so far, was to configure these "zones" as forward zones and add a non-reachable forwarder so that the queries timeout - thus throttling down the clients. But I hope there's a more official or cleaner way to do this.
Is this possible?
Thanks in advance,
Tom
More information about the bind-users
mailing list