von Dein, Thomas <thomas.vond...@f-i-ts.de> wrote: > > we're seeing a lot of malformed dns queries to our recursive nameservers > like these:
[snip queries for notification. / antivirusix. / kubeinspect. / organization. / history. / go-kms. ] > Obviously these clients (there are many) are misconfigured in some weird > way. But sometimes they send valid queries. So, what I'd like to do is > to throttle them down somehow when they start to send these queries. And > I only want to do this for clients in this specific source network, not > for all. Response rate limiting (RRL) does something roughly like what you want: it suppresses answers to repeated queries. However it is designed to deal with abusive traffic with spoofed source addresses, whereas your problem traffic is legitimate. https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/Bv9ARM.ch05.html#rrl You should be extremely wary of rate-limiting non-abuse traffic on a recursive server, because it can cause some very hard-to-debug problems, e.g. your queries look vaguely cloud-flavoured which reminds me of https://www.awsadvent.com/2018/12/07/working-with-aws-limits/ A better approach might be to find the people who aren't configuring their systems with a default domain name or search path, and gently teach them the error of their ways :-) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties: Cyclonic becoming northwest 5 or 6. Moderate or rough. Wintry showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
