|
Rate limiting depends perhaps a lot on the user scenario, whether: (1) the resolver is serving only trusted lan clients and in which case rate limiting may not be necessary unless suspecting a client being malicious. Read a suggestion somewhere to establish a baseline for DNS queries from clients that represents the normal/average usage and set the rate limit in the firewall accordingly. The firewall rate limit though is per packet and not per DNS query/response, which could be different due to payload - in particular if EDNS is added to the mix. If EDNS is supported by both hosts in a DNS communication, then UDP payloads greater than 512 bytes can be used. EDNS is a feature that can be leveraged to improve bandwidth for DNS tunneling (2) the resolver is serving untrusted wan clients and which case establishing a baseline and subsequent reasonable rate limit might prove difficult. (Packet) rate limiting via firewall on its own would seem to be a rather rudimentary way of protection and some advance firewall logic/learning would advance the protection level, e.g. maximum amount of queries from the same client ip for the same TLD/SLD within the TTL. BIND has implemented some Recursive Client Rate Limiting - https://kb.isc.org/docs/aa-01304, unfortunately Unbound appears not providing something of similar functionality. On 23.11.2018 09:41, via Unbound-users
wrote:
|
- Re: IN TXT &am... ѽ҉ᶬḳ℠ via Unbound-users
- Re: IN TXT &am... Maciej Gawron via Unbound-users
- Re: IN TXT &am... Paul Vixie via Unbound-users
- Re: IN TXT &am... Maciej Gawron via Unbound-users
- Re: IN TXT &am... ѽ҉ᶬḳ℠ via Unbound-users
- Re: IN TXT &am... Paul Vixie via Unbound-users
- Re: IN TXT &am... ѽ҉ᶬḳ℠ via Unbound-users
- Re: IN TXT & NULL trash records Daisuke HIGASHI via Unbound-users
- Re: IN TXT & NULL trash records ѽ҉ᶬḳ℠ via Unbound-users
- Re: IN TXT & NULL trash records Maciej Gawron via Unbound-users
- Re: IN TXT & NULL trash rec... ѽ҉ᶬḳ℠ via Unbound-users
