[Unbound-users] unbound rate limiting
Thilo Bangert
thilo.bangert at gmail.com
Thu Apr 4 11:49:13 UTC 2013
On Saturday, March 30, 2013 12:24:22 AM Rok Potočnik wrote:
> On 29.3.2013 23:41, Phil Pennock wrote:
> > That's a feature for authoritative DNS service. Myself, I highly
> > recommend and endorse those rate-limits for authoritative servers: in
> > particular, their patch for bind works really well.
> >
> > Unbound is a _resolver_. It does not provide authoritative service
> > except as a local_data hack for splicing data in. The rate limit
> > concepts as defined on that page simply don't apply to Unbound.
> >
> > You should not be providing recursive DNS service that's open to the
> > Internet.
> >
> > See the "access-control:" directive.
> >
> > If you're only providing recursive DNS service to your own customers,
> > then you can block packets with a source IP that claims to be your
> > customers at your border routers, so the spoofed traffic is blocked
> > before it even reaches your DNS servers.
> >
> > What is your setup, that you need to have recursive service offered to
> > third-party networks, and what issues are you trying to solve?
> >
> > -Phil
>
> I know rate limiting was intended for authoritative servers but due to
> last weeks DDoS attacks towards Spamhaus I'd like to limit the rate of
> our users' queries (ISP, couple of /16 subnets).
>
> Don't get me wrong - the servers are working as they should and are
> resolving records *just* for our supernets; but quite a few of the
> subscribers have an open resolver on their hands and are using our
> resolver as a forwarder. Just take a look of the attached picture of one
> of the few resolvers statistics.
bind has the dampening patch for these purposes, i believe. dont know how
it behaves in practice, but have heard good about it.
http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope
More information about the Unbound-users
mailing list