Defense against a client?
Roel Wagenaar
roel at wagenaar.nu
Mon Jan 16 10:49:46 UTC 2012
"Tom Schmitt" <TomSchmitt at gmx.de> wrote:
> Hi,
>
> I have a problem with the load on my Bind. Normally it's fine, but from
time to time there are clients which causes through a misconfiguration or a
failed local service (not intentionally) a very high amount of queries. After
finding and informing the responsible person this problem is mostly solved in
short time.
>
> One of these cases my DNS server can handle, but sometimes there is more
than one of these cases at the same time and I have a load problem which causing
problems for all clients of my DNS servers.
>
> My question:
> Is there any possibility in Bind to give a quoata to a client? e.g. that
from a given IP no more than houndred queries per second are allowed and the
rest is to be blackholed.
>
> That way only the client causing the load would have a problem but not all
other clients.
>
> Is there such a possibility? I found nothing in the documentation. Or are
there other ways to achive this? How do you guys do this?
>
> Tom.
In this case iptables is your friend.
One of my solutions is partly based on this:
http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
adapted to the proper ports etc. of course.
--
Roel Wagenaar,
Linux-User #469851 with the Linux Counter; http://linuxcounter.net/
You are only young once, but you can stay immature indefinitely.
More information about the bind-users
mailing list