Limit queries per IP address.

David Nolan vitroth+ at cmu.edu
Tue Mar 11 14:47:39 UTC 2008 


--On Tuesday, March 11, 2008 14:07:11 +0000 João Martins 
<jrmartiz at gmail.com> wrote:

> Do I have any option that limit the number of queries for each client or
> specific network? The idea is limiting a number of queries that a user (or
> IP address) can do by second or even by minute.
>


I don't believe there is a way to do this in BIND directly, however here 
are a couple tips that might help.

If you can install host firewall rules, you may be able to use those to 
rate limit the queries.  For example, on a linux machine you could use:
iptables -A INPUT -s $ipaddress -p udp --dport 53 -m limit --limit 3/s -j 
ACCEPT
iptables -A INPUT -s $ipaddress -p udp --dport 53 -j DROP

Note however that that might make things much worse from the client 
machine's perspective, as they'll just receive DNS timeouts, so I would 
only do something along this line in an extreme scenario.

The approach we take at Carnegie Mellon for our heavy query client machines 
(mostly mail servers), is to provide dedicated DNS server addresses for 
those machines.  We don't provide dedicated server hardware, we just make 
those server addresses be secondary IP addresses on our normal pool of DNS 
servers.  For example:

- Most client machines receive via DHCP two name servers, 10.0.0.10 and 
10.0.0.11
- High query server machines receive via DHCP (or static resolv.conf) two 
different dns server addresses, 10.0.0.13 and 10.0.0.14.

But 10.0.0.13 and 10.0.0.10 are actually served by the same machine, with 
10.0.0.13 being a secondary interface (eth0:1 for example)  (*).  Why does 
this help you might ask...  Because BIND processes queries from each of its 
interfaces in a round robin fashion.  So the heavy query load to 10.0.0.13 
will generate a large queue of requests on that interface, while the 
10.0.0.10 interface will have a much smaller (or empty) queue of requests, 
and those requests will get processed equally with the large queue.


(*):  Actually our setup is more complex then this.  The published 
recursive server addresses are actually served via a pool of servers via 
internal Anycast.  This allows for redundancy of  our dns servers, and 
horizontal scaling.


-David Nolan
 Network Systems Engineer
 Computing Services
 Carnegie Mellon University

More information about the bind-users mailing list