Question About max-clients-per-query

Cathy Almond cathya at isc.org
Mon Nov 21 13:35:16 UTC 2011 

There's a bit more information about how clients-per-query works in this
article here too - and importantly, make sure you're on a current
version of BIND to avoid a bug with it (but you'd be updating anyway for
CVE-2011-4313?):

https://www.isc.org/software/bind/advisories/cve-2011-4313

https://deepthought.isc.org/article/AA-00344/0/How-does-clients-per-query-work.html

(It's in the 'login-required' area, but anyone can register for access).

Cathy


On 18/11/11 18:12, Fr34k wrote:
> Hello,
> 
> Read the BIND ARM (Admin Ref. Manual) about these settings, but here is an example of what I use:
>         clients-per-query 10 ;
>         max-clients-per-query 20 ;
> 
> http://www.isc.org/software/bind/documentation
> 
> 
> Previously, this resource was posted on this list which is good info to have when investigating BIND behavior:
> https://deepthought.isc.org/article/AA-00341/0
> 
> HTH
> 
> 
>> ________________________________
>> From: Alan Shackelford <ashackel at jhmi.edu>
>> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>> Sent: Friday, November 18, 2011 10:32 AM
>> Subject: Question About max-clients-per-query
>>
>> I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious.
>>
>> So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries "in a row" from one client. If not we are going to have to be creative with some iptables or firewall rules.
>>
>> Thanks for any help you can lend.
>>
>> Alan V. Shackelford                   Sr. Systems Software Engineer
>> The Johns Hopkins University and Johns Hopkins Medical Institutions
>> Baltimore, Maryland USA       410-735-4773        ashackel at jhmi.edu
>>
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list