Re: Need to restrict DNS requests to just 5 per second
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 27 Dec 2006 18:41:17 -0500 Chuck Swiger <[EMAIL PROTECTED]> wrote: > Tek Bahadur Limbu wrote: > [ ... ] > > Thank you very much for your help and suggestions. Actually, the > > reason why I want to implement this restriction is because some > > clients whose Windows PCs are infected with viruses and malwares > > send up to 10-20 bogus DNS queries per second which causes the > > traffic utilization to go almost 5 times high on the dns server. > > There are legitimate reasons why a client machine might want to make > dozens or even hundreds of DNS lookups per second-- or have you never > used adns or another webserver logfile analyzer yourself? :-) > > Please consider solving the problem rather than a symptom. > > If you experience what you determine to be malicious traffic from a > host or traffic which violates your published AUP, please contact the > systems' owner or perform firewall egress filtering on such a machine > until it gets fixed. > > -- > -Chuck > Hello Chuck, I will definitely try what you stated. Thanks. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFk6tMVrOl+eVhOvYRAjTgAJ0R94qZr/nrb6DLGWM45YIQJQLpFQCcDurr ED5wdp+F0Gzs9ntFB+EunVk= =BA7b -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need to restrict DNS requests to just 5 per second
Tek Bahadur Limbu wrote: [ ... ] Thank you very much for your help and suggestions. Actually, the reason why I want to implement this restriction is because some clients whose Windows PCs are infected with viruses and malwares send up to 10-20 bogus DNS queries per second which causes the traffic utilization to go almost 5 times high on the dns server. There are legitimate reasons why a client machine might want to make dozens or even hundreds of DNS lookups per second-- or have you never used adns or another webserver logfile analyzer yourself? :-) Please consider solving the problem rather than a symptom. If you experience what you determine to be malicious traffic from a host or traffic which violates your published AUP, please contact the systems' owner or perform firewall egress filtering on such a machine until it gets fixed. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need to restrict DNS requests to just 5 per second
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 26 Dec 2006 07:49:09 -0600 Len Conrad <[EMAIL PROTECTED]> wrote: > > >I need to restrict dns (udp) requests to not more than 3 requests per > >second from each client's IP. > > restricting DNS query rate, if you can find a way, will probably slow > your clients' operations very noticeably. > > What problem are you trying to solve? > > Len > > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > Dear All, Thank you very much for your help and suggestions. Actually, the reason why I want to implement this restriction is because some clients whose Windows PCs are infected with viruses and malwares send up to 10-20 bogus DNS queries per second which causes the traffic utilization to go almost 5 times high on the dns server. This name server is not authoritative and allows recursion only to my internal clients defined in my ACL. Well I will definitely looked into 'recursive-clients' and 'tcp-clients' and also at PF to implement the restriction as suggested by Matthew. But since I am currently using IPFW and if I implement another PF firewall, will it result in unexpected consequences. Since I am very new to both FreeBSD and Bind, I think I have got more help and information than I need from you guys.:) Thanks alot once again. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFkiA9VrOl+eVhOvYRAvfAAJ9WZr4QEfvUyQ40/uC2h9328vD4yACaAoSm +eFfFKxUvLOO9lqrvr7GB04= =CZVy -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need to restrict DNS requests to just 5 per second
On Tuesday 26 December 2006 07:49, Len Conrad wrote: > >I need to restrict dns (udp) requests to not more than 3 requests > > per second from each client's IP. > > restricting DNS query rate, if you can find a way, will probably > slow your clients' operations very noticeably. > > What problem are you trying to solve? > > Len > Well, the issue as I see it is you can't restrict the number of queries per second from the clients without doing something on the client's end. You can restrict how many of those queries reach the nameserver, or perhaps even how many of those queries the nameserver actually responds to, but the applications at the client end are just going to keep retrying til they get an answer, so I would think that restricting answers is just going to generate more traffic in the end. -- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need to restrict DNS requests to just 5 per second
I need to restrict dns (udp) requests to not more than 3 requests per second from each client's IP. restricting DNS query rate, if you can find a way, will probably slow your clients' operations very noticeably. What problem are you trying to solve? Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Need to restrict DNS requests to just 5 per second
Tek Bahadur Limbu wrote: > I have a question regarding my Bind dns name server. About a 1000 users > are using my dns name server using public IPs. > > I need to restrict dns (udp) requests to not more than 3 requests per > second from each client's IP. > > Is there a way which we can apply this restriction using the > configuration files of Bind or IPFW or anything for the matter. This can be sort-of done quite easily using pf(4): pass in on $ext_if proto udp from any to $ext_if port 53 keep state ( max_src_conn_rate 300 / 60 ) However, the problem here is that UDP is a stateless protocol, so pf's concept of a 'session' is any traffic between the querying IP+port and the local endpoint. Obviously, if the end point is querying fast enough, and keeps reusing the same port numbers then the traffic can all form part of the same session, so this rule may not be completely effective. See: http://www.openbsd.org/faq/pf/filter.html#stateopts Beyond that, you may be able to use ALTQ with pf to limit the bandwidth applied to DNS traffic There are also controls that can be implemented within BIND to prevent the server being overloaded by traffic levels. See 'recursive-clients' and 'tcp-clients' under: http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#id2554668 However these do not distinguish between individual clients. Note that if you are providing recursive service to your clients you should certainly limit access to the service by originating net block so only your clients can use the service. You may also find that alternative recursive DNS servers may work better -- djbdns has a pretty good DNS cache and recursive-only implementation. Of course, recursive and authoritative DNS should be kept separate for security reasons. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Need to restrict DNS requests to just 5 per second
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, I have a question regarding my Bind dns name server. About a 1000 users are using my dns name server using public IPs. I need to restrict dns (udp) requests to not more than 3 requests per second from each client's IP. Is there a way which we can apply this restriction using the configuration files of Bind or IPFW or anything for the matter. - -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFkQiQVrOl+eVhOvYRAkplAJ9rnk9JnQiG/OGd5diAqw4OsdudgACfaWa9 gWcC8nUxZhxzMcJuWbgjhYY= =lH8V -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"