query limits

Kevin Darcy kcd at daimlerchrysler.com
Fri Mar 4 00:06:15 UTC 2005

Jim Reid wrote:

>>>>>>"Kris" == Kris Voelker <fritz at htc.net> writes:
>    Kris> Is there a way to control/limit the number of queries that
>    Kris> can be made by a specific IP?  
>Yes. That's why firewalls and routers were invented.
        I believe we've talked about this in the past, and I thought the 
concensus from those discussions was that it would be nice if BIND had 
some controls in this area. Routers and firewalls simply don't know -- 
can't know -- with precision the impact that queries have on a 
nameserver instance. It might be useful, for instance, to apply 
different rate-limits to recursive versus non-recursive queries, 
zone-transfers versus normal queries, etc. If and when DNSSEC ever gets 
off the ground, it might be useful to have a separate rate-limit for 
queries and/or responses which require a lot of cryptographic processing.

I think that anyone who really cares about this should submit a feature 
request to ISC for it.

                                             - Kevin

More information about the bind-users mailing list