Indeed, this looks useful. However, performing the rate limiting in the kernel using firewall rules can be more efficient and not require any BIND patches.
There are three mechanisms I can think of for performing this rate limiting today, without waiting for updates: - Insert iptables hashlimit rules. Here is one suggested rule: -p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \ --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \ --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse (The rule was suggested by joerg jungermann in another context at http://mailman.powerdns.com/pipermail/pdns-users/2012-September/009235.html ) - Use phreld to dynamically insert DROP rules for hosts that bypass limits: http://www.digitalgenesis.com/software/phrel/manual/phreld.html (Sadly, not packaged for Ubuntu.) I know this option is preferred by some commercial DNS hosts. - Use ufw limit to add some quick limits. Since this is intended first and foremost to prevent OpenSSH brute-force connection attempts, the default limits may be too low for applying to DNS. This might still be appropriate for very small installations, however. Your mileage my vary. I hope this helps. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1202278 Title: bind9 has no rate limit option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1202278/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
