limiting number of requests of a single hosts

WBrown at WBrown at
Fri Jun 15 13:16:04 UTC 2012 at wrote on 06/15/2012 
04:25:16 AM:

> We have a problem with one of our firewalls caused by DNS peaks. 
> Once or twice a day a DNS burst (20K requests/15sec) kills all 
> connections on the firewall.
> The firewall is due for replacement but in the mean time we would 
> like to stop these peaks at their origin or at least try to limit 
> their impact.
> We have 6 dns servers (bind) on our campus, that are all 
> authoritative for our domains and also resolver for our campus hosts.
> Most of our clients however use our AD/LDAP/DNS Microsoft servers as
> their resolver, which on their turn contact our 6 dns servers for 
> further resolving.
> What we figured out by packet capturing, is that at a certain point 
> in time these AD/LDAP/DNS servers start ?collecting? dns requests 
> without sending them further and then in a burt pass them on to our 
> 6 dns servers which try to resolve these queries. Due to the fact 
> that one request of a client mostly results in several queries of 
> our dns servers to the outside world (root server contact, NS record
> resolving,..) , this results in a burst of dns requests through our 
> firewalls, killing them.
> I have 2 questions, one, is there a way  to rate-limit the amount of
> request a single client (the AD servers in this case) can have 
> standing out against a bind server ? Kind of rate-limiting parameter
> for bind name server.
> Two, has anyone already seen this type of behavior on a Microsoft 
> AD/LDAP/DNS server and has a clue what could cause this stalling ? 
> Solving that would be the best solution.

Any chance of using network devices (firewalls, intelligent switches) to 
rate limit connections from the AD/DNS server to the bind server?

Is the odd behavior of the AD/DNS server causing issues with the clients 
making the original request?  Have you tried tracking down the original 
source of the query?  Could that be the ultimate source of the traffic 

It seems unlikely that MSDNS would intentionally hold DNS requests.  Have 
you tried troubleshooting that?

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the bind-users mailing list