<div dir="ltr"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif;font-size:small"><p class="MsoNormal"><span style="color:rgb(31,73,125)">Thanks for the quick response. <span></span></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Is it possible to rate limit the number of packets per
second to allow for a specific iptables rule especially of <b>UDP</b>? If yes, our partial
requirement will be sufficed. <span></span></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Only difficulty I can think at the moment of using this
rule is, the peers will not be indicated with any response which can make them
retry. <span></span></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Otherwise having the rate limit in Bind incoming phase
will provide the flexibility of responding with specific error code to let the
peer understand the situation.<span></span></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><br></span></p></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div> </div>
<div><font face="trebuchet ms,sans-serif"><span></span>Thanks,</font></div>
<div><font face="trebuchet ms,sans-serif">Kishore </font></div>
<div><font face="trebuchet ms,sans-serif">97 424 424 19<span></span></font></div></div></div>
<br><div class="gmail_quote">On Sun, Apr 30, 2017 at 6:42 PM, Sebastian Büttner <span dir="ltr"><<a href="mailto:sebastian@bueddl.de" target="_blank">sebastian@bueddl.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
is there any reason for what you are not performing this rate limiting using some firewall like iptables/netfilter?<br>
<br>
You could limit the incoming requests at this point with ease and the nameserver would never get in touch with dropped requests thus not waste cpu time.<br>
Also this approach allows for a dedicated firewall device (for example a simple hardware also running linux+iptables or unix+bpf).<br>
<br>
Sebastian<br>
<br>
On 2017-04-30 15:04, <a href="mailto:ramkishore.b@gmail.com" target="_blank">ramkishore.b@gmail.com</a> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
To protect the DNS server from overload, is there any feature already<br>
part of Bind software(Or can be achieved with any configuration<br>
changes) which can be enabled/disabled.<br>
I came across relevant feature called response rate limit(rrl)<br>
documentation, and it looks like it is mostly useful while taking the<br>
decision at the time of response transmission after the handling of<br>
incoming request.<br>
Correct me if I am wrong here.<br>
<br>
But What I am looking for a feature which calculates the incoming rate<br>
and rejects the messages above certain limit at the initial stage<br>
itself before handling them and dropping. So that no resource<br>
utilization processing will be wasted.<br>
This type of mechanism will be very much useful in defining the<br>
benchmark limit for any particular server based on its CPU and<br>
resources utilization.<br>
<br>
The Bind version we currently use is Bind 9.11.<br>
<br>
Any expertise inputs are very much appreciated. Thanks.<br>
<br>
______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to<br>
unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>
</blockquote>
</blockquote></div><br></div>