[Bug 1202278] Re: bind9 has no rate limit option

Seth Arnold 1202278 at bugs.launchpad.net
Thu Jul 18 22:49:44 UTC 2013


Indeed, this looks useful.

However, performing the rate limiting in the kernel using firewall rules
can be more efficient and not require any BIND patches.

There are three mechanisms I can think of for performing this rate
limiting today, without waiting for updates:

- Insert iptables hashlimit rules. Here is one suggested rule:
-p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
 --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
 --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse
(The rule was suggested by joerg jungermann in another context at http://mailman.powerdns.com/pipermail/pdns-users/2012-September/009235.html )

- Use phreld to dynamically insert DROP rules for hosts that bypass
limits: http://www.digitalgenesis.com/software/phrel/manual/phreld.html
(Sadly, not packaged for Ubuntu.) I know this option is preferred by
some commercial DNS hosts.

- Use ufw limit to add some quick limits. Since this is intended first
and foremost to prevent OpenSSH brute-force connection attempts, the
default limits may be too low for applying to DNS. This might still be
appropriate for very small installations, however. Your mileage my vary.

I hope this helps. Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in Ubuntu.
https://bugs.launchpad.net/bugs/1202278

Title:
  bind9 has no rate limit option

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions



More information about the Ubuntu-server-bugs mailing list