limiting number of requests of a single hosts

Holemans Wim wim.holemans at ua.ac.be
Fri Jun 15 14:37:16 UTC 2012



Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp


One of the problems is that these firewalls are going to be replaced soon and we don't want to spend to much effort in trying to fix what seems an annoying side-effect of something caused by a DNS system. 
We actually captured dns traffic around our AD server and were we see an average of 500 dns packets/5s in/out in normal conditions, this drops to about 100 for 20 seconds and then rises to 2000 dns packets/5sec causing our resolving servers to send a multiple amount of requests to the outside world killing the firewall.
We know changed the settings on the AD server to only use 2 of the resolving servers (which have a max recursive clients implemented) and checked the box, saying that the AD server could do his own lookups if the forwarders are not available.  

>Any chance of using network devices (firewalls, intelligent switches) to 
>rate limit connections from the AD/DNS server to the bind server?
>
>Is the odd behavior of the AD/DNS server causing issues with the clients 
>making the original request?  Have you tried tracking down the original 
>source of the query?  Could that be the ultimate source of the traffic 
>burst? 
>
>It seems unlikely that MSDNS would intentionally hold DNS requests.  Have 
>you tried troubleshooting that?





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.



More information about the bind-users mailing list