How to throttle misconfigured clients?
Tony Finch
dot at dotat.at
Tue Mar 3 17:18:09 UTC 2020
von Dein, Thomas <Thomas.vonDein at f-i-ts.de> wrote:
>
> we're seeing a lot of malformed dns queries to our recursive nameservers
> like these:
[snip queries for notification. / antivirusix. / kubeinspect. /
organization. / history. / go-kms. ]
> Obviously these clients (there are many) are misconfigured in some weird
> way. But sometimes they send valid queries. So, what I'd like to do is
> to throttle them down somehow when they start to send these queries. And
> I only want to do this for clients in this specific source network, not
> for all.
Response rate limiting (RRL) does something roughly like what you want: it
suppresses answers to repeated queries. However it is designed to deal
with abusive traffic with spoofed source addresses, whereas your problem
traffic is legitimate.
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/Bv9ARM.ch05.html#rrl
You should be extremely wary of rate-limiting non-abuse traffic on a
recursive server, because it can cause some very hard-to-debug problems,
e.g. your queries look vaguely cloud-flavoured which reminds me of
https://www.awsadvent.com/2018/12/07/working-with-aws-limits/
A better approach might be to find the people who aren't configuring their
systems with a default domain name or search path, and gently teach them
the error of their ways :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties: Cyclonic becoming northwest 5 or 6. Moderate or rough. Wintry
showers. Good.
More information about the bind-users
mailing list