limiting number of requests of a single hosts

Warren Kumari warren at kumari.net
Fri Jun 15 15:41:21 UTC 2012 

On Jun 15, 2012, at 4:25 AM, Holemans Wim wrote:

> We have a problem with one of our firewalls caused by DNS peaks.

Yes. <EOM>

W


> Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall.
> The firewall is due for replacement but in the mean time we would like to stop these peaks at their origin or at least try to limit their impact.
>  
> We have 6 dns servers (bind) on our campus, that are all authoritative for our domains and also resolver for our campus hosts.
> Most of our clients however use our AD/LDAP/DNS Microsoft servers as their resolver, which on their turn contact our 6 dns servers for further resolving.
>  
> What we figured out by packet capturing, is that at a certain point in time these AD/LDAP/DNS servers start ‘collecting’ dns requests without sending them further and then in a burt pass them on to our 6 dns servers which try to resolve these queries. Due to the fact that one request of a client mostly results in several queries of our dns servers to the outside world (root server contact, NS record resolving,..) , this results in a burst of dns requests through our firewalls, killing them.
>  
> I have 2 questions, one, is there a way  to rate-limit the amount of request a single client (the AD servers in this case) can have standing out against a bind server ? Kind of rate-limiting parameter for bind name server.
> Two, has anyone already seen this type of behavior on a Microsoft AD/LDAP/DNS server and has a clue what could cause this stalling ? Solving that would be the best solution.
>  
> Thanks in advance for any suggestion, answer,
>  
> Wim Holemans
> Netwerkdienst Universiteit Antwerpen
> Network Services University of Antwerp
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Curse the dark, or light a match. You decide, it's your dark.
                -- Valdis Kletnieks

More information about the bind-users mailing list