[c-nsp] rate limit dns
Gert Doering
gert at greenie.muc.de
Thu Jan 2 08:09:44 EST 2014
Hi,
On Thu, Jan 02, 2014 at 11:22:50AM +0200, Eugeniu Patrascu wrote:
> FWIW, if you run your customers recursive resolvers on a Linux/*BSD box you
> can setup iptables/pf in such a way that you only allow queries from
> customers and from your resolver to the internet in a stateful way and deny
> unrelated incoming "responses" and still have the same performance levels.
I would strongly recommend *against* doing stateful anything in front of
a DNS server. It won't serve a useful function (as unbound etc. are
quite good in recognizing "real" responses vs. "fake"), but serves as
an additional chokepoint which might run into overload far before your
servers die.
I've been there :-) (FreeBSD, unbound, using pf(4) firewalling with state)
and the stateful firewalling about doubled the CPU load on the system.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140102/9e7abf2a/attachment.sig>
More information about the cisco-nsp
mailing list