Developer Forum

Hi!


I'm been using bind for several years and this is the first time I really
have a problem to solve. I've tried to get answers googling, and also
bind-list without any success, probably I didn't search with the right
keywords.



I'm having several users doing aggressive recursive queries around
44.000queries / min, the same of all the other users (about
18.000 users on my network). This affects bind performance and query reply
to other users sometimes fails.



Do I have any option that limit the number of queries for each client or
specific network? The idea is limiting a number of queries that a user (or
IP address) can do by second or even by minute.



I've a recursive limit queries on the global options "recursive-clients
1000;", but I think this penalties other users and not only the really abuse
users. I'm correct?

Anyone have other solution?


Thanks.



Greetings,



JM

--On Tuesday, March 11, 2008 14:07:11 +0000 Jo Martins




I don't believe there is a way to do this in BIND directly, however here
are a couple tips that might help.

If you can install host firewall rules, you may be able to use those to
rate limit the queries. For example, on a linux machine you could use:
iptables -A INPUT -s $ipaddress -p udp --dport 53 -m limit --limit 3/s -j
ACCEPT
iptables -A INPUT -s $ipaddress -p udp --dport 53 -j DROP

Note however that that might make things much worse from the client
machine's perspective, as they'll just receive DNS timeouts, so I would
only do something along this line in an extreme scenario.

The approach we take at Carnegie Mellon for our heavy query client machines
(mostly mail servers), is to provide dedicated DNS server addresses for
those machines. We don't provide dedicated server hardware, we just make
those server addresses be secondary IP addresses on our normal pool of DNS
servers. For example:

- Most client machines receive via DHCP two name servers, 10.0.0.10 and
10.0.0.11
- High query server machines receive via DHCP (or static resolv.conf) two
different dns server addresses, 10.0.0.13 and 10.0.0.14.

But 10.0.0.13 and 10.0.0.10 are actually served by the same machine, with
10.0.0.13 being a secondary interface (eth0:1 for example) (*). Why does
this help you might ask... Because BIND processes queries from each of its
interfaces in a round robin fashion. So the heavy query load to 10.0.0.13
will generate a large queue of requests on that interface, while the
10.0.0.10 interface will have a much smaller (or empty) queue of requests,
and those requests will get processed equally with the large queue.


(*): Actually our setup is more complex then this. The published
recursive server addresses are actually served via a pool of servers via
internal Anycast. This allows for redundancy of our dns servers, and
horizontal scaling.


-David Nolan
Network Systems Engineer
Computing Services
Carnegie Mellon University

Thanks David.
That was what I expected.

regards, JM




On Tue, Mar 11, 2008 at 3:47 PM, David Nolan
<vitroth+@cmu.edu<vitroth% XXXX@XXXXX.COM >>