On Fri, Jun 08, 2012 at 03:09:04PM -0400, Joe Maimon <jmaimon@ttec.com> wrote a message of 7 lines which said:
Is there any publicly available rate limiting for BIND?
Not as far as I know. I'm not sure it would be a good idea. BIND is feature-rich enough.
How about host-based IDS that can be used to trigger rtbh or iptables?
What I do (I manage a small and experimental open resolver) is to use iptables this way (porting it to IPv6 is left as an exercice): iptables -A INPUT -p udp --dport 53 -m hashlimit \ --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \ --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP So, every prefix (length 28) can send 20 r/s with allowed bursts of 100. This requires a Netfilter >= 1.4 (recent options of module hashlimit). Most iptables recipes that you find on the Web are not well suited to DNS. They use connection tracking, for instance, while, with the DNS, every request/response is a "connection". I have a more complete article on this setup but in french only <http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.
Google and Level3 manage to run open resolvers, why cant I?
You have less money :-)