On Tue, Aug 02, 2022 at 11:16:15PM +0200, Michael De Roover wrote: ! For my servers I'm using iptables rules to achieve ratelimiting. They ! look as follows: ! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- ! update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255 ! --rsource -j DROP ! -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set ! --name DEFAULT --mask 255.255.255.255 --rsource ! ! It should be fairly trivial to convert these to use UDP 53, and tweak ! the timings you want. These rules are intended to allow 4 connections ! (which normally should be entire SMTP transactions) every 10 minutes. ! Since I have 2 edge nodes with these rules, that is doubled to 8 ! connections total. If you're an authoritative name server only, ! realistically mostly recursors / caching servers would query your ! servers and not too often. You can easily restrict traffic here. If ! you're a recursor too, this becomes a bit more complicated.
Just to give a Heads Up: I have a very similar config in IPFW protecting port 53 with a rate limit. I had put that in because the option was there and I thought it a good idea, and then entirely forgotten about it. I was then very surprized when I couldn't renew my certificates due to creepy and non-reproducible failures. A CA cen send quite an amount of queries when validating a site, and may have tough timeouts. I recommend testing such a rate-limit against DNSviz.net which also sends a high amount of queries. (My actual fault was to forget about the limit, otherwise one could just remove it temporarily during such actions.) -- PMc -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
