<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Thanks. I will look into this.<br>
<br>
<div class="moz-cite-prefix">On 8/3/22 07:47, Victor Johansson via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d4befafe-9a3a-7320-548d-c01580c20358@mullvad.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hey,<br>
</p>
<p>I just want to add that there is a better way to do this in
iptables with hashlimit. The normal rate limit in iptables is
too crude.</p>
<p>Below is an example from the rate-limit-chain, to which you
simply send all port 53 traffic from the INPUT chain (make sure
to exclude 127.0.0.1/127.0.0.53 though :) ).<br>
</p>
<p><br>
</p>
<p>-A INPUT -p udp -m udp --dport 53 -j DNS-RATE-LIMIT<br>
-A INPUT -p tcp -m tcp --dport 53 -j DNS-RATE-LIMIT<br>
</p>
<p>-A DNS-RATE-LIMIT -s 127.0.0.1/32 -m comment --comment "Dont
rate-limit localhost" -j RETURN<br>
-A DNS-RATE-LIMIT -m hashlimit --hashlimit-upto 100/sec
--hashlimit-burst 300 --hashlimit-mode srcip --hashlimit-name
DNS-drop --hashlimit-htable-expire 2000 -j ALLOW<br>
-A DNS-RATE-LIMIT -m limit --limit 1/sec -j LOG --log-prefix
"DNS-drop: "<br>
-A DNS-RATE-LIMIT -m comment --comment "ansible[dns rate
limiting]" -j DROP</p>
<p><br>
</p>
<p>//Victor<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 8/2/22 23:16, Michael De Roover
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ca485cb575fca9988669bb67af71b2bf5d5b14de.camel@nixmagic.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div>For my servers I'm using iptables rules to achieve
ratelimiting. They look as follows:</div>
<div>-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m
recent --update --seconds 600 --hitcount 4 --name DEFAULT
--mask 255.255.255.255 --rsource -j DROP</div>
<div>-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m
recent --set --name DEFAULT --mask 255.255.255.255 --rsource</div>
<div><br>
</div>
<div>It should be fairly trivial to convert these to use UDP 53,
and tweak the timings you want. These rules are intended to
allow 4 connections (which normally should be entire SMTP
transactions) every 10 minutes. Since I have 2 edge nodes with
these rules, that is doubled to 8 connections total. If you're
an authoritative name server only, realistically mostly
recursors / caching servers would query your servers and not
too often. You can easily restrict traffic here. If you're a
recursor too, this becomes a bit more complicated.</div>
<div><br>
</div>
<div>Regarding the legitimate queries, it would be prudent to
allow common recursors (Google, Cloudflare, Quad9 etc) to have
exceptions to this rule. Just allow their IP addresses to send
traffic either unrestricted, or using a more relaxed version
of the above.</div>
<div><br>
</div>
<div>HTH,</div>
<div>Michael</div>
<div><br>
</div>
<div>On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div>Recently I have been having problems with my server not
responding to my </div>
<div>requests. I thought it was all sorts of issues, but I
finally looked at </div>
<div>the logs and:</div>
<div><br>
</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80
114.29.194.4#11205 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 </div>
<div>114.29.216.196#64956 (.): view external: query (cache)
'./A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80
64.68.114.141#39466 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 </div>
<div>209.197.198.45#13280 (.): view external: query (cache)
'./A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 </div>
<div>114.29.202.117#41955 (.): view external: query (cache)
'./A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80
62.109.204.22#4406 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:49 onlo named[6155]: client @0xa9420720
64.68.104.9#38518 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8
114.29.202.117#9584 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div><br>
</div>
<div>grep -c denied messages</div>
<div>45868</div>
<div><br>
</div>
<div>And that is just since Jul 31 3am.</div>
<div><br>
</div>
<div>This is fairly recent so I never looked into what I might
do to protect </div>
<div>against this. I am the master for my domain, so I do
need to allow for </div>
<div>legitimate queries.</div>
<div><br>
</div>
<div>Any best practices on this?</div>
<div><br>
</div>
<div>I am running bind 9.11.4</div>
<div><br>
</div>
<div>thanks</div>
<div><br>
</div>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
</body>
</html>