nanog mailing list archives
Re: Open Resolver Problems
From: Owen DeLong <owen () delong com>
Date: Wed, 27 Mar 2013 08:54:27 -0700
It's been available in linux for a long time, just not in BIND… Here is a working ip6tales example: -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT YMMV and you may wish to provide tighter limits (less than 30 QPM or a burst of <90). Owen On Mar 27, 2013, at 6:47 AM, William Herrin <bill () herrin us> wrote:
On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom () cloudflare com> wrote:Authoritative DNS servers need to implement rate limiting. (a client shouldn't query you twice for the same thing within its TTL).Right now that's a complaint for the mainstream software authors, not for the system operators. When the version of Bind in Debian Stable implements this feature, I'll surely turn it on. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Open Resolver Problems, (continued)
- Re: Open Resolver Problems Jack Bates (Mar 27)
- Re: Open Resolver Problems William Herrin (Mar 27)
- Re: Open Resolver Problems Jack Bates (Mar 27)
- Re: Open Resolver Problems Mark Andrews (Mar 27)
- Re: Open Resolver Problems Tony Finch (Mar 27)
- Re: Open Resolver Problems Jack Bates (Mar 27)
- Re: Open Resolver Problems Tony Finch (Mar 27)
- Re: Open Resolver Problems Joe Abley (Mar 27)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 27)
- Re: Open Resolver Problems Tony Finch (Mar 27)
- Re: Open Resolver Problems Owen DeLong (Mar 27)
- Re: Open Resolver Problems Marco Davids (Mar 27)
- Re: Open Resolver Problems Jared Mauch (Mar 27)
- Re: Open Resolver Problems Joe Abley (Mar 27)
- Can we not just fix it? WAS:Re: Open Resolver Problems Michael DeMan (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems David Conrad (Mar 28)
- Re: Can we not just fix it? WAS:Re: Open Resolver Problems Saku Ytti (Mar 28)
- Re: Open Resolver Problems Ben Aitchison (Mar 28)
- Re: Open Resolver Problems Jimmy Hess (Mar 29)
- Re: Open Resolver Problems Mark Andrews (Mar 29)
- Re: Open Resolver Problems Joe Greco (Mar 29)