How to Limit DNS Request per ip source ?
bortzmeyer at nic.fr
Mon Jan 14 13:30:10 UTC 2013
On Mon, Jan 14, 2013 at 06:36:44PM +0530,
Gaurav Kansal <gaurav.kansal at nic.in> wrote
a message of 156 lines which said:
> I tried the following commands, but unfortunately didn't succeed.
Why do you want to limit? If it is against a DoS attack, I warn you
that most Netfilter modules (for instance, "state") require allocating
a state on the firewall and a clever attack can fill the memory of the
> If anyone is using iptables for limiting DNS Query per IP,
If you have a DNS server used for reflection+amplification attacks
*and* it is a Linux machine *and* you have Netfilter >= 1.4 *and* you
cannot or does not want to install the patches for BIND or NSD to do
rate-limiting (they may provide a better result) *and* the attack is
over IPv4 *and* the attacker uses only a few domain names, you could
be interested in the technique we use. Disclaimer: it works for us, it
will not work for ever, it works now.
The idea is to use the Netfilter u32 module to recognize the attack,
then to rate-limit it with the Netfilter hashlimit module.
First, get the iptables rules generation script
Then, look at the traffic so see the pattern: what query type
(typically ANY), what query domain name, etc. In the examples, we'll
assume QTYPE=ANY, QNAME=example.net.
Then, generate the Netfilter rule:
iptables -A INPUT -p udp --dport 53 -m u32 \
--u32 $(python generate-netfilter-u32-dns-rule.py --qname example.net --qtype ANY) -j RATELIMITER
The RATELIMITER chain can be:
iptables -A RATELIMITER -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
or you can replace -j RATELIMITER by -j DROP of you want to be
There are more options in the generate-netfilter-u32-dns-rule.py
script, such as --bufsize=NNN if the attacker uses a fixed EDNS buffer
size (some do).
There are several ways for the attacker to work around this technique
(some obvious and some not so obvious). But my point is that it works
*today*, with *actual* attacks. So, it definitely helps but keep your
eyes open, have alternative solutions in place and do not put all your
eggs in one basket
More details (only in French) at
More information about the bind-users