When client requests originate from a person (i.e. web browser), I would agree that there is little harm to network resources. Eventually, that person will tire of hitting refresh and take their browsing elsewhere. Programatic requests are not so easily distracted and can be persistent.
The concept of TTL has existed in routing forever. A router may respond to an ICMP request until the TTL has expired after which the request is ignored. This prevents routing loops from consuming resources, however insignificant. I realize that the DNS TTL is a timer versus ICMP which is a counter, but I am looking for a solution similar to the IP TTL in which a nameserver would attempt to honestly resolve a lookup to a point, after which an alternative failure is returned. Something which instructs the client issuing the request that resolution is impossible. Just as the throttle works on forwarding, the same dampening would be applied to responses. Iptables and other network based solutions treat all DNS traffic the same, namely, rate limiting queries of any kind based on IP. I am not assuming that just because one query is 'bad', that all subsequent queries should also be discarded/limited. The namserver cache is storing information relative to the unique queries and can more effectively limit the flow of bogus lookups without having to degrade service to/from a particular host for legitimate traffic. Thanks. On Wed, Sep 7, 2011 at 9:11 AM, Jon Davis <[email protected]> wrote: > Could you add something in iptables for rate limiting? Granted that wont > handle NXDOMAIN/SRVFAIL specifically, but you could probably guess a high > end average and cap it to that. > -Jon > > On Tue, Sep 6, 2011 at 21:36, Andrew Melton <[email protected]> wrote: >> >> Following the advice from the IRC channel, I am looking for throttling >> support in PDNS. As I understand it, the rescursor currently has the >> ability to suppress repetitive queries from being forwarded to an >> authoritative name server. However, there is no mechanism to discourage >> those requests from the client in the first place. >> >> Essentially, instead of answering the a bogus query forever, at a certain >> point, it would make sense to return an alternate response. After 50 >> requests for an NXDOMAIN, the recursor could not only stop forwarding >> queries, but reply with SRVFAIL or similar, updating its cache accordingly. >> >> Just as with setting a throttling threshold on forwarding, x requests >> within y seconds would constitute a flood and instruct the recursor to >> protect itself by altering its response to identical requests. >> >> And pushing this to a network appliance (firewall) won't work. It needs >> to be unattended and realtime. >> >> Thanks. >> >> >> _______________________________________________ >> Pdns-users mailing list >> [email protected] >> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> > > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
