This is not good idea to use statefull firewall on heavy loaded DNS server. firewall becomes low place in the system.
As workaround you can use dns_flood_detector + simple script to insert and remove IP's from firewall blocking table or chain. 27.10.2010 23:26, Sebastian Tymków пишет: > In FreeBSD you can use pf to limit connections using tables and setting > up rate limit. > > http://forums.freebsd.org/showthread.php?t=1727 > > Best regards, > > Shamrock > > On Tue, Oct 26, 2010 at 9:29 PM, Kebba Foon <kebba.f...@qcell.gm > <mailto:kebba.f...@qcell.gm>> wrote: > > On Tue, 2010-10-26 at 15:22 -0400, Todd Snyder wrote: > > What version of bind, on what OS? > > > I use Debian 5.0 with bind 9.6-ESV-R1 but also i thought that the OS > might have some security holes so i try FreeBSD 8.1 with BIND 9.7.1 but > still have ihave the same problems. > > > here may be some things you can do with iptables to limit connections > > > > http://www.debian-administration.org/articles/187 > > > i will just look into these but it done thing iptables will be the ideal > solution. > > I don't recall seeing anything native to BIND that would allow for > limits per src. > > > > t. > > > > -----Original Message----- > > From: bind-users-bounces+tsnyder=rim.com > <http://rim.com>@lists.isc.org <http://lists.isc.org> > [mailto:bind-users-bounces+tsnyder > <mailto:bind-users-bounces%2Btsnyder>=rim.com > <http://rim.com>@lists.isc.org <http://lists.isc.org>] On Behalf Of > Kebba Foon > > Sent: Tuesday, October 26, 2010 2:27 PM > > To: bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > > Subject: limiting number of recursion/queries per IP address > > > > Dear List, > > > > Is is possible to limit the number of recursion/queries per IP > address. > > there is some kind of virus thats bombarding my dns servers with a lot > > of queries, i realize that when ever the total number of recursion > > clients reach 1000 dns resolution stop working. i have increase the > > recursive-clients to 10000 but still these those not help. and also i > > have increase the number of max open files on my OS which at one point > > was complaining about too many open files. can someone please > direct me > > to how best to solve this problem its some kind of DDOS. > > > > Thanks > > Kebba > > > > _______________________________________________ > > bind-users mailing list > > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > > https://lists.isc.org/mailman/listinfo/bind-users > > > > --------------------------------------------------------------------- > > This transmission (including any attachments) may contain > confidential information, privileged material (including material > protected by the solicitor-client or other applicable privileges), > or constitute non-public information. Any use of this information by > anyone other than the intended recipient is prohibited. If you have > received this transmission in error, please immediately reply to the > sender and delete this information from your system. Use, > dissemination, distribution, or reproduction of this transmission by > unintended recipients is not authorized and may be unlawful. > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users > > > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Рыбин Дмитрий Эксперт по аварийному восстановлению сервисов Отдел систем ШПД Департамент ИТ- инфраструктуры Группа компаний Вымпелком Tel: +7(495) 7871000 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
