There's a bit more information about how clients-per-query works in this article here too - and importantly, make sure you're on a current version of BIND to avoid a bug with it (but you'd be updating anyway for CVE-2011-4313?):
https://www.isc.org/software/bind/advisories/cve-2011-4313 https://deepthought.isc.org/article/AA-00344/0/How-does-clients-per-query-work.html (It's in the 'login-required' area, but anyone can register for access). Cathy On 18/11/11 18:12, Fr34k wrote: > Hello, > > Read the BIND ARM (Admin Ref. Manual) about these settings, but here is an > example of what I use: > clients-per-query 10 ; > max-clients-per-query 20 ; > > http://www.isc.org/software/bind/documentation > > > Previously, this resource was posted on this list which is good info to have > when investigating BIND behavior: > https://deepthought.isc.org/article/AA-00341/0 > > HTH > > >> ________________________________ >> From: Alan Shackelford <ashac...@jhmi.edu> >> To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> >> Sent: Friday, November 18, 2011 10:32 AM >> Subject: Question About max-clients-per-query >> >> I had a situation a couple of days ago where a compromised machine in the >> DMZ portion of my network began sending an incredible number of queries to a >> couple of the primary internal DNS servers. The traffic was so intense that >> legitimate queries were unable to get through, or the customer timed out >> before the response came back. It took me a while to diagnose, because >> tailing the logs with querylog on was not possible. The data were coming too >> fast for my terminal to display them. Only after several Cntl-C commands was >> I able to escape from the tail, and a portion of the logs was displayed. >> Only queries from the compromised machine were visible. Nothing else got >> through during that time period. My customers and bosses are naturally >> furious. >> >> So is it possible to limit the number of queries for one name from one >> client, or even better, limit the number in a certain time, or the number of >> queries "in a row" from one client. If not we are going to have to be >> creative with some iptables or firewall rules. >> >> Thanks for any help you can lend. >> >> Alan V. Shackelford Sr. Systems Software Engineer >> The Johns Hopkins University and Johns Hopkins Medical Institutions >> Baltimore, Maryland USA 410-735-4773 ashac...@jhmi.edu >> >> >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >> >> >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
