Limit queries per IP address.
vitroth+ at cmu.edu
Tue Mar 11 14:47:39 UTC 2008
--On Tuesday, March 11, 2008 14:07:11 +0000 João Martins
<jrmartiz at gmail.com> wrote:
> Do I have any option that limit the number of queries for each client or
> specific network? The idea is limiting a number of queries that a user (or
> IP address) can do by second or even by minute.
I don't believe there is a way to do this in BIND directly, however here
are a couple tips that might help.
If you can install host firewall rules, you may be able to use those to
rate limit the queries. For example, on a linux machine you could use:
iptables -A INPUT -s $ipaddress -p udp --dport 53 -m limit --limit 3/s -j
iptables -A INPUT -s $ipaddress -p udp --dport 53 -j DROP
Note however that that might make things much worse from the client
machine's perspective, as they'll just receive DNS timeouts, so I would
only do something along this line in an extreme scenario.
The approach we take at Carnegie Mellon for our heavy query client machines
(mostly mail servers), is to provide dedicated DNS server addresses for
those machines. We don't provide dedicated server hardware, we just make
those server addresses be secondary IP addresses on our normal pool of DNS
servers. For example:
- Most client machines receive via DHCP two name servers, 10.0.0.10 and
- High query server machines receive via DHCP (or static resolv.conf) two
different dns server addresses, 10.0.0.13 and 10.0.0.14.
But 10.0.0.13 and 10.0.0.10 are actually served by the same machine, with
10.0.0.13 being a secondary interface (eth0:1 for example) (*). Why does
this help you might ask... Because BIND processes queries from each of its
interfaces in a round robin fashion. So the heavy query load to 10.0.0.13
will generate a large queue of requests on that interface, while the
10.0.0.10 interface will have a much smaller (or empty) queue of requests,
and those requests will get processed equally with the large queue.
(*): Actually our setup is more complex then this. The published
recursive server addresses are actually served via a pool of servers via
internal Anycast. This allows for redundancy of our dns servers, and
Network Systems Engineer
Carnegie Mellon University
More information about the bind-users