Ton van Rosmalen wrote:
Leen Besselink schreef:
On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
Obviously; but that's being reactive; I was looking for something more
proactive. --Augie
I've not tested it, but I understand the u32 option is available on
Debian/Linux for example:
http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
That might do what you want.
How about rate limiting using iptables? You'd have to determine some
sort general usage rule or manually add ip addresses to he list that's
limited.
I didn't know iptables had an easy way to do this per source-address in
iptables. But I've looked around and possible the recent-iptables-module
would be able to do so:
http://www.debian-administration.org/articles/187
OpenBSD's PF would probably be able to though:
http://www.openbsd.org/faq/pf/filter.html#stateopts
I just had a list of IP-addresses and only return a small packet for the
rest, but I'm definitly still considering changing it, because there are
a few new ones every few days.
Although someone on the NANOG-mailinglist I read sends an update each
time, I most say, that's convenient too. :-)
I don't particularly like rate-limiting something important as DNS for
were I work.
PS You were probably not aware of it but please don't send HTML-only
e-mails to mailinglists some people don't like it. Thunderbird does
supports it I think.
Regards,
Ton
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
