Stephane Bortzmeyer wrote:
On Fri, Jun 08, 2012 at 03:09:04PM -0400,
Joe Maimon<jmai...@ttec.com> wrote
a message of 7 lines which said:
Is there any publicly available rate limiting for BIND?
Not as far as I know. I'm not sure it would be a good idea. BIND is
feature-rich enough.
I really hope you have a minority viewpoint on this one. I would really
like to see it.
How about host-based IDS that can be used to trigger rtbh or iptables?
What I do (I manage a small and experimental open resolver) is to use
iptables this way (porting it to IPv6 is left as an exercice):
iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP
So, every prefix (length 28) can send 20 r/s with allowed bursts of
100. This requires a Netfilter>= 1.4 (recent options of module
hashlimit).
Missing the amplification factor goodness google says they have, but
I'll take it.
https://developers.google.com/speed/public-dns/docs/security
Most iptables recipes that you find on the Web are not well suited to
DNS. They use connection tracking, for instance, while, with the DNS,
every request/response is a "connection".
I have a more complete article on this setup but in french only
<http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html>.
This sounds promising. I will give it a spin. Thank you!
Google and Level3 manage to run open resolvers, why cant I?
You have less money :-)
With help like yours, I hope to compensate for that.
Joe
