Need to restrict DNS requests to just 5 per second

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Dec 26 05:30:34 PST 2006


Tek Bahadur Limbu wrote:
 
> I have a question regarding my Bind dns name server. About a 1000 users
> are using my dns name server using public IPs.
> 
> I need to restrict dns (udp) requests to not more than 3 requests per
> second from each client's IP.
> 
> Is there a way which we can apply this restriction using the
> configuration files of Bind or IPFW or anything for the matter.

This can be sort-of done quite easily using pf(4):

pass in on $ext_if proto udp
    from any to $ext_if port 53
    keep state ( max_src_conn_rate 300 / 60 )

However, the problem here is that UDP is a stateless protocol, so pf's
concept of a 'session' is any traffic between the querying IP+port and
the local endpoint.  Obviously, if the end point is querying fast enough,
and keeps reusing the same port numbers then the traffic can all form
part of the same session, so this rule may not be completely effective.

See: http://www.openbsd.org/faq/pf/filter.html#stateopts

Beyond that, you may be able to use ALTQ with pf to limit the bandwidth
applied to DNS traffic

There are also controls that can be implemented within BIND to prevent
the server being overloaded by traffic levels.  See 'recursive-clients'
and 'tcp-clients' under:

http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#id2554668

However these do not distinguish between individual clients.  

Note that if you are providing recursive service to your clients you
should certainly limit access to the service by originating net block
so only your clients can use the service.  You may also find that
alternative recursive DNS servers may work better -- djbdns has a pretty
good DNS cache and recursive-only implementation.  Of course, recursive
and authoritative DNS should be kept separate for security reasons.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20061226/4afcbae1/signature.pgp


More information about the freebsd-questions mailing list