On Mon, May 9, 2022 at 2:46 PM Bjørn Mork <bj...@mork.no> wrote: > Alex K <rightkickt...@gmail.com> writes: > > On Mon, May 9, 2022 at 1:51 PM Matus UHLAR - fantomas <uh...@fantomas.sk > > > > wrote: > > > >> maybe someone uses VPN over DNS... > >> in such case, rate limiting of client comes to mind... > >> > > That would mean that the clients have access to their own dns servers, > > which the firewall does not allow. > > No, you can run IP over DNS using any resolver. Also yours. > > Yes, they need a server for the remote end. But your resolver will be > the one talking to it, just like it queries any other autoritative > server on behalf of the client. > > Typically something you do for fun. Not for normal use. But I guess it > could be in use by those who need a reliable communication channel > inside any "isolated" environment. DNS tends to be availble even where > nothing else is. > I see. thanx for clarifying.
> > FWIW I agree with the rate-limit recommendation. It solves both this > and your original problem without any complicated and messy tracking. > Just make DNS "free" up to some reasonable query rate. If there are > clients with higher legitimate needs, then you could consider creating > separate rate-limit classes for those clients. And even charge extra > for that, if it's important. > Does such DNS traffic has different characteristics from the normal one? Perhaps, apart from limiting, I could block such traffic with the packet size or similar. > > Bjørn > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
