Ok , I agree, and thank you for the accurate answer. <long story> OTOH the server was rejecting all the other request, (i do not think it was badly configure) and it ended up rejecting the good one also (after a loooong time of use) I first look in nsd manpages to see if i could figure why and found nothing ( a log like i reject packet because ...) I tried verbosity: 2, ratelimit: 1024 ( but nsd wasnt up to date - NSD version 3.2.5 ) I wanted to have a workaround, of course there is another authoritative to answer, therefore i ended up filtering content. </long story>
If i run authoritative server can i filter to answer to only certain IP addresses ? Like a list of public/root DNS ? My next step was to look at dnssec, which would be nice to have anyway. On Mon, Nov 9, 2015 at 10:34 PM, Nick Holland <n...@holland-consulting.net> wrote: > On 11/09/15 16:45, sven falempin wrote: > > For the first time ever i did something with iptable > > that i dont know how to do (simply) with > > pf. > > Something i think it is usefull. > > > > I have a domain server, nsd, it serves whatever.com, > > Authoritative server, then. > > > the server is like flooded with request for no reason, > > Welcome to the Internet. It happens. > > > with iptables i was able to add > > <-m string --hex-string whatever|03|com> > > in the <in> rules. > > > > So i only accept DNS request that matters to me. > > > > Is there a way ? (something simpler than diverting to a > > sort of grep -v ). > > I'd call that a wrong way to do it, definitely. > > If your name server is configured properly, it should be ignoring domain > requests it isn't authoritative for. Not a problem. If you are running > a resolver, it should be resolving only for the IP addresses you manage > (here PF can help you, but the resolver can deal with that, too). > > > Would it be a cool feature ? or because it s a protocol shall > > it be done inside relayd ? > > No. String and pattern matching in the kernel is not a really good > plan. And if you are doing it in an application outside of the kernel, > why not just do it in NSD and be done with it? > > Nor is this solving a problem. Let NSD do its job correctly, and it > will just ignore those queries. DNS queries are really small, and > authoritative servers put very little load on the processor. The query > is going to get received, looked at, and either responded to or > dropped...adding extra layers here to change who receives and processes > the query isn't helping anything. In fact -- assuming NSD is fairly > efficient (I think it is), what I propose is this: > Packet comes in (kernel) > Packet is compared against domains served (NSD) > Response or drop (NSD) > > What you propose is this: > Packet comes in (kernel) > packet is compared against domains served (filter) > drop ... OR -> > packet is compared against domains served (AGAIN!) (NSD) > response (NSD) > > I don't think you win anything here by duplicating a step. > > OR if you want to be nasty, set up a full resolver that returns the IP > of some really nasty, rude or inappropriate site for ALL queries except > the ones that should be answering for. (actually, I don't recommend > doing this, but it made me grin to think about it. "Why do I keep > ending up on the My Little Pony website??"). Again, just because you > CAN do something doesn't make it a good idea. > > Nick. > > -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
