From owner-freebsd-questions@FreeBSD.ORG Tue Dec 26 13:30:34 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3998816A4A0 for ; Tue, 26 Dec 2006 13:30:34 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id A0C9113C48E for ; Tue, 26 Dec 2006 13:30:31 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id kBQDU9ti027008; Tue, 26 Dec 2006 13:30:09 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <459123DB.9010007@infracaninophile.co.uk> Date: Tue, 26 Dec 2006 13:30:03 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.9 (X11/20061223) MIME-Version: 1.0 To: Tek Bahadur Limbu References: <20061226171837.5e4c92a0.teklimbu@wlink.com.np> In-Reply-To: <20061226171837.5e4c92a0.teklimbu@wlink.com.np> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig6DADD104E937F69FAED1911B" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 26 Dec 2006 13:30:24 +0000 (GMT) X-Virus-Scanned: ClamAV 0.88.7/2379/Tue Dec 26 09:34:51 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Need to restrict DNS requests to just 5 per second X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Dec 2006 13:30:34 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig6DADD104E937F69FAED1911B Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Tek Bahadur Limbu wrote: =20 > I have a question regarding my Bind dns name server. About a 1000 users= > are using my dns name server using public IPs. >=20 > I need to restrict dns (udp) requests to not more than 3 requests per > second from each client's IP. >=20 > Is there a way which we can apply this restriction using the > configuration files of Bind or IPFW or anything for the matter. This can be sort-of done quite easily using pf(4): pass in on $ext_if proto udp from any to $ext_if port 53 keep state ( max_src_conn_rate 300 / 60 ) However, the problem here is that UDP is a stateless protocol, so pf's concept of a 'session' is any traffic between the querying IP+port and the local endpoint. Obviously, if the end point is querying fast enough,= and keeps reusing the same port numbers then the traffic can all form part of the same session, so this rule may not be completely effective. See: http://www.openbsd.org/faq/pf/filter.html#stateopts Beyond that, you may be able to use ALTQ with pf to limit the bandwidth applied to DNS traffic There are also controls that can be implemented within BIND to prevent the server being overloaded by traffic levels. See 'recursive-clients' and 'tcp-clients' under: http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#id2554668 However these do not distinguish between individual clients. =20 Note that if you are providing recursive service to your clients you should certainly limit access to the service by originating net block so only your clients can use the service. You may also find that alternative recursive DNS servers may work better -- djbdns has a pretty good DNS cache and recursive-only implementation. Of course, recursive and authoritative DNS should be kept separate for security reasons. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig6DADD104E937F69FAED1911B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFkSPg8Mjk52CukIwRCMz1AKCTejowzt+NGJ93NcSkWLCCLLs9ZgCeJpQX aJopsI0kIu6HcxO0CryOK0Y= =NGO2 -----END PGP SIGNATURE----- --------------enig6DADD104E937F69FAED1911B--