How to throttle misconfigured clients?

Tony Finch dot at
Tue Mar 3 17:18:09 UTC 2020

von Dein, Thomas <Thomas.vonDein at> wrote:
> we're seeing a lot of malformed dns queries to our recursive nameservers
> like these:

[snip queries for notification. / antivirusix. / kubeinspect. /
organization. / history. / go-kms. ]

> Obviously these clients (there are many) are misconfigured in some weird
> way. But sometimes they send valid queries. So, what I'd like to do is
> to throttle them down somehow when they start to send these queries. And
> I only want to do this for clients in this specific source network, not
> for all.

Response rate limiting (RRL) does something roughly like what you want: it
suppresses answers to repeated queries. However it is designed to deal
with abusive traffic with spoofed source addresses, whereas your problem
traffic is legitimate.

You should be extremely wary of rate-limiting non-abuse traffic on a
recursive server, because it can cause some very hard-to-debug problems,
e.g. your queries look vaguely cloud-flavoured which reminds me of

A better approach might be to find the people who aren't configuring their
systems with a default domain name or search path, and gently teach them
the error of their ways :-)

f.anthony.n.finch  <dot at>
Forties: Cyclonic becoming northwest 5 or 6. Moderate or rough. Wintry
showers. Good.

More information about the bind-users mailing list