Hi,
is there any reason for what you are not performing this rate limiting
using some firewall like iptables/netfilter?
You could limit the incoming requests at this point with ease and the
nameserver would never get in touch with dropped requests thus not waste
cpu time.
Also this approach allows for a dedicated firewall device (for example a
simple hardware also running linux+iptables or unix+bpf).
Sebastian
On 2017-04-30 15:04, ramkishor...@gmail.com wrote:
Hi,
To protect the DNS server from overload, is there any feature already
part of Bind software(Or can be achieved with any configuration
changes) which can be enabled/disabled.
I came across relevant feature called response rate limit(rrl)
documentation, and it looks like it is mostly useful while taking the
decision at the time of response transmission after the handling of
incoming request.
Correct me if I am wrong here.
But What I am looking for a feature which calculates the incoming rate
and rejects the messages above certain limit at the initial stage
itself before handling them and dropping. So that no resource
utilization processing will be wasted.
This type of mechanism will be very much useful in defining the
benchmark limit for any particular server based on its CPU and
resources utilization.
The Bind version we currently use is Bind 9.11.
Any expertise inputs are very much appreciated. Thanks.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
