limiting number of requests of a single hosts

Fr34k freaknetboy at yahoo.com
Fri Jun 15 13:03:08 UTC 2012


Hello,

You may wish to read ISC/BIND's ARM about these settings (i.e., what they do, how they work, what the defaults are, etc):


        recursive-clients N;
        tcp-clients M;
        clients-per-query P;
        max-clients-per-query R;


where N, M, P, and R are numbers appropriate for your environment for each respective option.
See BIND v9.x ARM at https://kb.isc.org/category/116/0/10/Software-Products/BIND9/Documentation/

HTH




>________________________________
> From: Holemans Wim <wim.holemans at ua.ac.be>
>To: "'bind-users at lists.isc.org'" <bind-users at lists.isc.org> 
>Sent: Friday, June 15, 2012 4:25 AM
>Subject: limiting number of requests of a single hosts
> 
>
> 
>We have a problem with one of our firewalls caused by DNS peaks. Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall.
>The firewall is due for replacement but in the mean time we would like to stop these peaks at their origin or at least try to limit their impact.
> 
>We have 6 dns servers (bind) on our campus, that are all authoritative for our domains and also resolver for our campus hosts.
>Most of our clients however use our AD/LDAP/DNS Microsoft servers as their resolver, which on their turn contact our 6 dns servers for further resolving.
> 
>What we figured out by packet capturing, is that at a certain point in time these AD/LDAP/DNS servers start ‘collecting’ dns requests without sending them further and then in a burt pass them on to our 6 dns servers which try to resolve these queries. Due to the fact that one request of a client mostly results in several queries of our dns servers to the outside world (root server contact, NS record resolving,..) , this results in a burst of dns requests through our firewalls, killing them.
> 
>I have 2 questions, one, is there a way  to rate-limit the amount of request a single client (the AD servers in this case) can have standing out against a bind server ? Kind of rate-limiting parameter for bind name server.
>Two, has anyone already seen this type of behavior on a Microsoft AD/LDAP/DNS server and has a clue what could cause this stalling ? Solving that would be the best solution.
> 
>Thanks in advance for any suggestion, answer,
> 
>Wim Holemans
>Netwerkdienst Universiteit Antwerpen
>Network Services University of Antwerp
> 
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120615/1c10ade8/attachment.html>


More information about the bind-users mailing list