I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious.
So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries "in a row" from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773 ashac...@jhmi.edu
PGP.sig
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
