Hello,
You may wish to read ISC/BIND's ARM about these settings (i.e., what they do,
how they work, what the defaults are, etc):
recursive-clients N;
tcp-clients M;
clients-per-query P;
max-clients-per-query R;
where N, M, P, and R are numbers appropriate for your environment for each
respective option.
See BIND v9.x ARM at
https://kb.isc.org/category/116/0/10/Software-Products/BIND9/Documentation/
HTH
>________________________________
> From: Holemans Wim <wim.holem...@ua.ac.be>
>To: "'bind-users@lists.isc.org'" <bind-users@lists.isc.org>
>Sent: Friday, June 15, 2012 4:25 AM
>Subject: limiting number of requests of a single hosts
>
>
>
>We have a problem with one of our firewalls caused by DNS peaks. Once or twice
>a day a DNS burst (20K requests/15sec) kills all connections on the firewall.
>The firewall is due for replacement but in the mean time we would like to stop
>these peaks at their origin or at least try to limit their impact.
>
>We have 6 dns servers (bind) on our campus, that are all authoritative for our
>domains and also resolver for our campus hosts.
>Most of our clients however use our AD/LDAP/DNS Microsoft servers as their
>resolver, which on their turn contact our 6 dns servers for further resolving.
>
>What we figured out by packet capturing, is that at a certain point in time
>these AD/LDAP/DNS servers start ‘collecting’ dns requests without sending them
>further and then in a burt pass them on to our 6 dns servers which try to
>resolve these queries. Due to the fact that one request of a client mostly
>results in several queries of our dns servers to the outside world (root
>server contact, NS record resolving,..) , this results in a burst of dns
>requests through our firewalls, killing them.
>
>I have 2 questions, one, is there a way to rate-limit the amount of request a
>single client (the AD servers in this case) can have standing out against a
>bind server ? Kind of rate-limiting parameter for bind name server.
>Two, has anyone already seen this type of behavior on a Microsoft AD/LDAP/DNS
>server and has a clue what could cause this stalling ? Solving that would be
>the best solution.
>
>Thanks in advance for any suggestion, answer,
>
>Wim Holemans
>Netwerkdienst Universiteit Antwerpen
>Network Services University of Antwerp
>
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
