On 2013-03-27, at 14:52, Jared Mauch <ja...@puck.nether.net> wrote: > I am very concerned about examples such as this possibly being implemented by > a well intentioned sysadmin or neteng type without understanding their query > load and patterns. bind with the rrl patch does log when things are > happening. While the data is possible to extract from iptables, IMHO it's > not quite as easy to audit as a syslog.
For an authoritative-only server, people can expect coarse rate-limits such as those quoted earlier with iptables to give false positives and to reject legitimate queries. RRL is far safer. For a recursive server, I agree you need a much better understanding of your traffic patterns before you try something like the iptables example. Dropping queries from your own clients' stub resolvers has an immediate support cost. You *really* don't want false positives, there. Joe
