nanog mailing list archives

Re: Open Resolver Problems

From: Owen DeLong <owen () delong com>
Date: Wed, 27 Mar 2013 08:54:27 -0700

It's been available in linux for a long time, just not in BIND…

Here is a working ip6tales example:

-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j 
ACCEPT

YMMV and you may wish to provide tighter limits (less than 30 QPM or a burst of <90).

Owen





On Mar 27, 2013, at 6:47 AM, William Herrin <bill () herrin us> wrote:

On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom () cloudflare com> wrote:

Authoritative DNS servers need to implement rate limiting. (a client
shouldn't query you twice for the same thing within its TTL).


Right now that's a complaint for the mainstream software authors, not
for the system operators. When the version of Bind in Debian Stable
implements this feature, I'll surely turn it on.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems William Herrin (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems Mark Andrews (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Jack Bates (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
    - Re: Open Resolver Problems Tony Finch (Mar 27)
    - Re: Open Resolver Problems Owen DeLong (Mar 27)
    - Re: Open Resolver Problems Marco Davids (Mar 27)
    - Re: Open Resolver Problems Jared Mauch (Mar 27)
    - Re: Open Resolver Problems Joe Abley (Mar 27)
    - Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
    - Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
    - Re: Open Resolver Problems Ben Aitchison (Mar 28)
    - Re: Open Resolver Problems Jimmy Hess (Mar 29)
    - Re: Open Resolver Problems Mark Andrews (Mar 29)
    - Re: Open Resolver Problems Joe Greco (Mar 29)

(Thread continues...)