DNS traffic tracking
Alex K
rightkicktech at gmail.com
Mon May 9 12:35:46 UTC 2022
On Mon, May 9, 2022 at 2:46 PM Bjørn Mork <bjorn at mork.no> wrote:
> Alex K <rightkicktech at gmail.com> writes:
> > On Mon, May 9, 2022 at 1:51 PM Matus UHLAR - fantomas <uhlar at fantomas.sk
> >
> > wrote:
> >
> >> maybe someone uses VPN over DNS...
> >> in such case, rate limiting of client comes to mind...
> >>
> > That would mean that the clients have access to their own dns servers,
> > which the firewall does not allow.
>
> No, you can run IP over DNS using any resolver. Also yours.
>
> Yes, they need a server for the remote end. But your resolver will be
> the one talking to it, just like it queries any other autoritative
> server on behalf of the client.
>
> Typically something you do for fun. Not for normal use. But I guess it
> could be in use by those who need a reliable communication channel
> inside any "isolated" environment. DNS tends to be availble even where
> nothing else is.
>
I see. thanx for clarifying.
>
> FWIW I agree with the rate-limit recommendation. It solves both this
> and your original problem without any complicated and messy tracking.
> Just make DNS "free" up to some reasonable query rate. If there are
> clients with higher legitimate needs, then you could consider creating
> separate rate-limit classes for those clients. And even charge extra
> for that, if it's important.
>
Does such DNS traffic has different characteristics from the normal one?
Perhaps, apart from limiting, I could block such traffic with the packet
size or similar.
>
> Bjørn
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220509/04b19f6e/attachment.htm>
More information about the bind-users
mailing list