Query on the Overload control mechanism for DNS Server

Sebastian Büttner sebastian at bueddl.de
Sun Apr 30 14:03:04 UTC 2017


Hi Kishore,

you can indeed do so with iptables for example. Have a look at the 
hashlimit or the limit module. They are both capable of limiting per 
protocol, per dest or source ip and can be configured to trigger only 
after reaching a burstlimit. You can enforce a udp packet rate which is 
allowed per second per srcip for example to destination port 53:

iptables -I INPUT -m hashlimit -m udp-p udp –dport 53 –hashlimit 10/s 
–hashlimit-mode srcip –hashlimit-name dns ...

Anyway, keep in mind that udp source ip might be spoofed (but then the 
benchmarking this all is about would not apply anyways).

   Sebastian

On 2017-04-30 15:52, Ram Kishore B wrote:
> Thanks for the quick response.
> 
> 
> 
> Is it possible to rate limit the number of packets per second to allow 
> for
> a specific iptables rule especially of *UDP*? If yes, our partial
> requirement will be sufficed.
> 
> 
> 
> Only difficulty I can think at the moment of using this rule is, the 
> peers
> will not be indicated with any response which can make them retry.
> 
> Otherwise having the rate limit in Bind incoming phase will provide the
> flexibility of responding with specific error code to let the peer
> understand the situation.
> 
> 
> 
> 
> Thanks,
> Kishore


More information about the bind-users mailing list