On 2013-03-27, at 14:52, Jared Mauch <jared@puck.nether.net> wrote:
I am very concerned about examples such as this possibly being implemented by a well intentioned sysadmin or neteng type without understanding their query load and patterns. bind with the rrl patch does log when things are happening. While the data is possible to extract from iptables, IMHO it's not quite as easy to audit as a syslog.
For an authoritative-only server, people can expect coarse rate-limits such as those quoted earlier with iptables to give false positives and to reject legitimate queries. RRL is far safer. For a recursive server, I agree you need a much better understanding of your traffic patterns before you try something like the iptables example. Dropping queries from your own clients' stub resolvers has an immediate support cost. You *really* don't want false positives, there. Joe