https://kb.isc.org/article/AA-01000
On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin <arturo.ser...@gmail.com>wrote: > I think is better idea to rate-limit your responses rather than > limiting the size of them. > > AFAIK, bind has a way to do it. > > .as > > > On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia <m...@anuragbhatia.com> > wrote: > > Hi ML > > > > > > > > Yeah I can understand. Even DNSSEC will have issues with it which makes > me > > worry about rule even today. > > > > > > On Wed, Dec 11, 2013 at 11:49 PM, ML <m...@kenweb.org> wrote: > > > >> On 12/11/2013 1:06 PM, Anurag Bhatia wrote: > >> > > >> > I am sure I am not first person experiencing this issue. Curious to > hear > >> > how you are managing it. Also under what circumstances I can get a > >> > legitimate TCP query on port 53 whose reply exceeds a basic limit of > less > >> > then 1000 bytes? > >> > > >> > > >> > > >> > >> I'm not a DNS guru so I don't have an exact answer. However my gut > >> feeling is that putting in a place a rule to drop or rate limit DNS > >> replies greater than X bytes is probably going to come back to bite you > >> in the future. > >> > >> No one can predict the future of what will constitute legitimate DNS > >> traffic. > >> > >> > > > > > > -- > > > > > > Anurag Bhatia > > anuragbhatia.com > > > > Linkedin <http://in.linkedin.com/in/anuragbhatia21> | > > Twitter<https://twitter.com/anurag_bhatia> > > Skype: anuragbhatia.com > >
