<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Just my opinion.</p>
<p>Don't rate limit tcp. The RRL feature in Bind only rate limits
UDP. UDP is connection-less and the source address can be forged,
generating DDOS traffic to a 3rd party. <br>
</p>
<p>Proper DNS software will fall back to TCP. Because TCP is
connection based, much harder to forge source address.</p>
<p>Lyle<br>
</p>
<div class="moz-cite-prefix">On 8/3/22 08:30, Robert Moskowitz
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f94163ee-d996-91d7-721d-1c8e2361566e@htt-consult.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Thanks. I will look into this.<br>
<br>
<div class="moz-cite-prefix">On 8/3/22 07:47, Victor Johansson via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d4befafe-9a3a-7320-548d-c01580c20358@mullvad.net">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Hey,<br>
</p>
<p>I just want to add that there is a better way to do this in
iptables with hashlimit. The normal rate limit in iptables is
too crude.</p>
<p>Below is an example from the rate-limit-chain, to which you
simply send all port 53 traffic from the INPUT chain (make
sure to exclude 127.0.0.1/127.0.0.53 though :) ).<br>
</p>
<p><br>
</p>
<p>-A INPUT -p udp -m udp --dport 53 -j DNS-RATE-LIMIT<br>
-A INPUT -p tcp -m tcp --dport 53 -j DNS-RATE-LIMIT<br>
</p>
<p>-A DNS-RATE-LIMIT -s 127.0.0.1/32 -m comment --comment "Dont
rate-limit localhost" -j RETURN<br>
-A DNS-RATE-LIMIT -m hashlimit --hashlimit-upto 100/sec
--hashlimit-burst 300 --hashlimit-mode srcip --hashlimit-name
DNS-drop --hashlimit-htable-expire 2000 -j ALLOW<br>
-A DNS-RATE-LIMIT -m limit --limit 1/sec -j LOG --log-prefix
"DNS-drop: "<br>
-A DNS-RATE-LIMIT -m comment --comment "ansible[dns rate
limiting]" -j DROP</p>
<p><br>
</p>
<p>//Victor<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 8/2/22 23:16, Michael De Roover
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ca485cb575fca9988669bb67af71b2bf5d5b14de.camel@nixmagic.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div>For my servers I'm using iptables rules to achieve
ratelimiting. They look as follows:</div>
<div>-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m
recent --update --seconds 600 --hitcount 4 --name DEFAULT
--mask 255.255.255.255 --rsource -j DROP</div>
<div>-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m
recent --set --name DEFAULT --mask 255.255.255.255 --rsource</div>
<div><br>
</div>
<div>It should be fairly trivial to convert these to use UDP
53, and tweak the timings you want. These rules are intended
to allow 4 connections (which normally should be entire SMTP
transactions) every 10 minutes. Since I have 2 edge nodes
with these rules, that is doubled to 8 connections total. If
you're an authoritative name server only, realistically
mostly recursors / caching servers would query your servers
and not too often. You can easily restrict traffic here. If
you're a recursor too, this becomes a bit more complicated.</div>
<div><br>
</div>
<div>Regarding the legitimate queries, it would be prudent to
allow common recursors (Google, Cloudflare, Quad9 etc) to
have exceptions to this rule. Just allow their IP addresses
to send traffic either unrestricted, or using a more relaxed
version of the above.</div>
<div><br>
</div>
<div>HTH,</div>
<div>Michael</div>
<div><br>
</div>
<div>On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz
wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div>Recently I have been having problems with my server not
responding to my </div>
<div>requests. I thought it was all sorts of issues, but I
finally looked at </div>
<div>the logs and:</div>
<div><br>
</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80
114.29.194.4#11205 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 </div>
<div>114.29.216.196#64956 (.): view external: query (cache)
'./A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80
64.68.114.141#39466 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 </div>
<div>209.197.198.45#13280 (.): view external: query (cache)
'./A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 </div>
<div>114.29.202.117#41955 (.): view external: query (cache)
'./A/IN' denied</div>
<div>Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80
62.109.204.22#4406 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:49 onlo named[6155]: client @0xa9420720
64.68.104.9#38518 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div>Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8
114.29.202.117#9584 </div>
<div>(.): view external: query (cache) './A/IN' denied</div>
<div><br>
</div>
<div>grep -c denied messages</div>
<div>45868</div>
<div><br>
</div>
<div>And that is just since Jul 31 3am.</div>
<div><br>
</div>
<div>This is fairly recent so I never looked into what I
might do to protect </div>
<div>against this. I am the master for my domain, so I do
need to allow for </div>
<div>legitimate queries.</div>
<div><br>
</div>
<div>Any best practices on this?</div>
<div><br>
</div>
<div>I am running bind 9.11.4</div>
<div><br>
</div>
<div>thanks</div>
<div><br>
</div>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>