DNS queries limitation by host ?

Jim Reid jim at rfc1035.com
Sat Aug 21 12:41:10 UTC 2004


>>>>> "Ladislav" == Ladislav Vobr <lvobr at ies.etisalat.ae> writes:

    >>  BIND has no hooks for this sort of thing. Feel free to
    >> contribute code... Rate limiting is probably best handled by a
    >> router or firewall in front of the name server. Perhaps you
    >> could do that?

    Ladislav> firewall will limit only total traffic or static clients
    Ladislav> (you have to configure in source ip), it will not
    Ladislav> dynamically limit each random customer. It means
    Ladislav> basically that the service will be non-responsive for
    Ladislav> all, if the total traffic is exceeded.

You obviously haven't understood what I posted. A firewall doesn't
only completely block unwanted traffic. Some firewalls *do* provide
rate limiting. As, of course, do routers.

    Ladislav> The rate limiting per customer or per ip is basic thing
    Ladislav> that already many applications are using, apache,
    Ladislav> sendmail, sunone, iplanet... have you noticed it ?

Of course. However an HTTP or SMTP transaction is a very different
beast from a DNS transaction. 

    >> I'd also recommend that you get your customers to reconfigure
    >> their name servers so they resolve stuff for themselves instead
    >> of forwarding queries to your name server. That forwarding
    >> server that sends 1200qps is anti-social and probably
    >> broken. It might be helpful to find out why it's generating so
    >> much traffic. Even better would be putting a stop to that much
    >> traffic. :-)

    Ladislav> Customers doing what they want, if bind can rate limit
    Ladislav> them, they will ofcourse re-evaluate their behaviour,
    Ladislav> because they will be forced to do it. 

This is nonsense. First of all, the customers are probably not "doing
what they want". They're most likely doing what their ISP told them to
do a long time ago. Presumably neither the ISP or the customer at that
time had a clue about DNS operations and the pointless stupidity of
forwarding. [If they had, they wouldn't have configured a forwarding
setup.] The customers may well be blissfully unaware that their
forwarding name servers are pounding incessantly on the ISP's
server. The customers may well be running ancient DNS code. So they
could have name servers that don't implement negative caching asking
for the same non-existent names over and over again.

    Ladislav> Since bind doesn't care about it, nobody cares, saying
    Ladislav> that router will solve it? Will the router ensure that
    Ladislav> *each* *random* customer will have let's say bw for
    Ladislav> 20/req per second and not more, just think about it.

How someone choses to configure rate limiting on their routers is up
to them. In all likelihood, the excessive traffic will be coming from
a small number of IP addresses, so it would be trivial to make the
router rate-limit that traffic while not impeding the rest. Not that
rate limiting is the answer anyway. Applications and resolvers
sometimes do evil and stupid things when they get no response from the
DNS.

PS: I said in my earlier posting that anyone who wanted to see rate
limiting in BIND should feel free to contribute code. Since you seem
to think rate limiting DNS queries is a desirable thing to do, go
ahead. Implement it.


More information about the bind-users mailing list