If you are using BIND, take a look at: https://kb.isc.org/article/AA-01000 cv On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hello everyone
I noticed some issues on one of DNS server I am managing. It was getting queries for couple of attacking domains and server was replying in TCP with 3700 bytes releasing very heavy packets. Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries.
As I understand there are two ways here for fix:
1. I can put a DNS rate limit in reply to ANY packets like say 5 replies in every one min. (but again I have some forwarders with quite a few machines behind them).
2. Other way is limiting TCP port 53 outbound size ...limiting to say 600-700 bytes or so.
I am sure I am not first person experiencing this issue. Curious to hear how you are managing it. Also under what circumstances I can get a legitimate TCP query on port 53 whose reply exceeds a basic limit of less then 1000 bytes?
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com