limiting number of requests of a single hosts
WBrown at e1b.org
WBrown at e1b.org
Fri Jun 15 13:16:04 UTC 2012
bind-users-bounces+wbrown=e1b.org at lists.isc.org wrote on 06/15/2012
> We have a problem with one of our firewalls caused by DNS peaks.
> Once or twice a day a DNS burst (20K requests/15sec) kills all
> connections on the firewall.
> The firewall is due for replacement but in the mean time we would
> like to stop these peaks at their origin or at least try to limit
> their impact.
> We have 6 dns servers (bind) on our campus, that are all
> authoritative for our domains and also resolver for our campus hosts.
> Most of our clients however use our AD/LDAP/DNS Microsoft servers as
> their resolver, which on their turn contact our 6 dns servers for
> further resolving.
> What we figured out by packet capturing, is that at a certain point
> in time these AD/LDAP/DNS servers start ?collecting? dns requests
> without sending them further and then in a burt pass them on to our
> 6 dns servers which try to resolve these queries. Due to the fact
> that one request of a client mostly results in several queries of
> our dns servers to the outside world (root server contact, NS record
> resolving,..) , this results in a burst of dns requests through our
> firewalls, killing them.
> I have 2 questions, one, is there a way to rate-limit the amount of
> request a single client (the AD servers in this case) can have
> standing out against a bind server ? Kind of rate-limiting parameter
> for bind name server.
> Two, has anyone already seen this type of behavior on a Microsoft
> AD/LDAP/DNS server and has a clue what could cause this stalling ?
> Solving that would be the best solution.
Any chance of using network devices (firewalls, intelligent switches) to
rate limit connections from the AD/DNS server to the bind server?
Is the odd behavior of the AD/DNS server causing issues with the clients
making the original request? Have you tried tracking down the original
source of the query? Could that be the ultimate source of the traffic
It seems unlikely that MSDNS would intentionally hold DNS requests. Have
you tried troubleshooting that?
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the bind-users