Stephane Bortzmeyer wrote:
On Fri, Jun 08, 2012 at 03:09:04PM -0400, Joe Maimon<jmaimon@ttec.com> wrote a message of 7 lines which said:
Is there any publicly available rate limiting for BIND?
Not as far as I know. I'm not sure it would be a good idea. BIND is feature-rich enough.
I really hope you have a minority viewpoint on this one. I would really like to see it.
How about host-based IDS that can be used to trigger rtbh or iptables?
What I do (I manage a small and experimental open resolver) is to use iptables this way (porting it to IPv6 is left as an exercice):
iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
So, every prefix (length 28) can send 20 r/s with allowed bursts of 100. This requires a Netfilter>= 1.4 (recent options of module hashlimit).
Missing the amplification factor goodness google says they have, but I'll take it. https://developers.google.com/speed/public-dns/docs/security
Most iptables recipes that you find on the Web are not well suited to DNS. They use connection tracking, for instance, while, with the DNS, every request/response is a "connection".
I have a more complete article on this setup but in french only <http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.
This sounds promising. I will give it a spin. Thank you!
Google and Level3 manage to run open resolvers, why cant I?
You have less money :-)
With help like yours, I hope to compensate for that. Joe