rate limiting queries with firewall (was: Stopping ddos)
Grant Taylor
gtaylor at tnetconsulting.net
Wed Aug 3 16:35:23 UTC 2022
On 8/2/22 3:15 PM, Grant Taylor via bind-users wrote:
> It looks like you're dealing with A queries for the root domain. I've
> blocked this, and similar queries, via iptables firewall in the past.
I've seen a number of responses to Robert's "Stopping ddos" thread
discussing using firewalls (iptables) to /rate/ /limit/ queries.
I wanted to add an overarching comment that such /rate/ /limiting/
ultimately means that some amount of state must be maintained on
systems. This is a potential vector for a denial of service if left
unchecked.
So I'd like to clarify that I believe that it is better in some
situations to /statelessly/ /drop/ traffic that has no reason for going
to a server. E.g. a server that's only authoritative for 2nd level
domains has no business responding to any form of queries for the root zone.
To whit I have the following rule in the PREROUTING chain of the raw
table to filter out queries for the root zone.
iptables -t raw -A PREROUTING -i eth0 -p udp -m udp --dport 53 -m string
--hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DROP
Just a follow up / drive by comment.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220803/58b08eb3/attachment-0001.bin>
More information about the bind-users
mailing list