Alex K <rightkickt...@gmail.com> writes: > On Mon, May 9, 2022 at 1:51 PM Matus UHLAR - fantomas <uh...@fantomas.sk> > wrote: > >> maybe someone uses VPN over DNS... >> in such case, rate limiting of client comes to mind... >> > That would mean that the clients have access to their own dns servers, > which the firewall does not allow.
No, you can run IP over DNS using any resolver. Also yours. Yes, they need a server for the remote end. But your resolver will be the one talking to it, just like it queries any other autoritative server on behalf of the client. Typically something you do for fun. Not for normal use. But I guess it could be in use by those who need a reliable communication channel inside any "isolated" environment. DNS tends to be availble even where nothing else is. FWIW I agree with the rate-limit recommendation. It solves both this and your original problem without any complicated and messy tracking. Just make DNS "free" up to some reasonable query rate. If there are clients with higher legitimate needs, then you could consider creating separate rate-limit classes for those clients. And even charge extra for that, if it's important. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
