[Unbound-users] unbound rate limiting
Rok Potočnik
r at rula.net
Fri Mar 29 23:24:22 UTC 2013
On 29.3.2013 23:41, Phil Pennock wrote:
> That's a feature for authoritative DNS service. Myself, I highly
> recommend and endorse those rate-limits for authoritative servers: in
> particular, their patch for bind works really well.
>
> Unbound is a _resolver_. It does not provide authoritative service
> except as a local_data hack for splicing data in. The rate limit
> concepts as defined on that page simply don't apply to Unbound.
>
> You should not be providing recursive DNS service that's open to the
> Internet.
>
> See the "access-control:" directive.
>
> If you're only providing recursive DNS service to your own customers,
> then you can block packets with a source IP that claims to be your
> customers at your border routers, so the spoofed traffic is blocked
> before it even reaches your DNS servers.
>
> What is your setup, that you need to have recursive service offered to
> third-party networks, and what issues are you trying to solve?
>
> -Phil
I know rate limiting was intended for authoritative servers but due to
last weeks DDoS attacks towards Spamhaus I'd like to limit the rate of
our users' queries (ISP, couple of /16 subnets).
Don't get me wrong - the servers are working as they should and are
resolving records *just* for our supernets; but quite a few of the
subscribers have an open resolver on their hands and are using our
resolver as a forwarder. Just take a look of the attached picture of one
of the few resolvers statistics.
--
BR, Rok
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound_qps.png
Type: image/png
Size: 68314 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20130330/4873710b/attachment.png>
More information about the Unbound-users
mailing list