limiting number of requests of a single hosts

Holemans Wim wim.holemans at
Fri Jun 15 08:25:16 UTC 2012

We have a problem with one of our firewalls caused by DNS peaks. Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall.
The firewall is due for replacement but in the mean time we would like to stop these peaks at their origin or at least try to limit their impact.

We have 6 dns servers (bind) on our campus, that are all authoritative for our domains and also resolver for our campus hosts.
Most of our clients however use our AD/LDAP/DNS Microsoft servers as their resolver, which on their turn contact our 6 dns servers for further resolving.

What we figured out by packet capturing, is that at a certain point in time these AD/LDAP/DNS servers start 'collecting' dns requests without sending them further and then in a burt pass them on to our 6 dns servers which try to resolve these queries. Due to the fact that one request of a client mostly results in several queries of our dns servers to the outside world (root server contact, NS record resolving,..) , this results in a burst of dns requests through our firewalls, killing them.

I have 2 questions, one, is there a way  to rate-limit the amount of request a single client (the AD servers in this case) can have standing out against a bind server ? Kind of rate-limiting parameter for bind name server.
Two, has anyone already seen this type of behavior on a Microsoft AD/LDAP/DNS server and has a clue what could cause this stalling ? Solving that would be the best solution.

Thanks in advance for any suggestion, answer,

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list