On Saturday, March 30, 2013 12:24:22 AM Rok Potočnik wrote: > On 29.3.2013 23:41, Phil Pennock wrote: > > That's a feature for authoritative DNS service. Myself, I highly > > recommend and endorse those rate-limits for authoritative servers: in > > particular, their patch for bind works really well. > > > > Unbound is a _resolver_. It does not provide authoritative service > > except as a local_data hack for splicing data in. The rate limit > > concepts as defined on that page simply don't apply to Unbound. > > > > You should not be providing recursive DNS service that's open to the > > Internet. > > > > See the "access-control:" directive. > > > > If you're only providing recursive DNS service to your own customers, > > then you can block packets with a source IP that claims to be your > > customers at your border routers, so the spoofed traffic is blocked > > before it even reaches your DNS servers. > > > > What is your setup, that you need to have recursive service offered to > > third-party networks, and what issues are you trying to solve? > > > > -Phil > > I know rate limiting was intended for authoritative servers but due to > last weeks DDoS attacks towards Spamhaus I'd like to limit the rate of > our users' queries (ISP, couple of /16 subnets). > > Don't get me wrong - the servers are working as they should and are > resolving records *just* for our supernets; but quite a few of the > subscribers have an open resolver on their hands and are using our > resolver as a forwarder. Just take a look of the attached picture of one > of the few resolvers statistics.
bind has the dampening patch for these purposes, i believe. dont know how it behaves in practice, but have heard good about it. http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
