DNS - connection limit (without any extra hardware)
dgolding at t1r.com
Sun Dec 10 17:33:11 UTC 2006
On Dec 8, 2006, at 12:57 PM, Joe Abley wrote:
> I think the trouble comes when you want to limit the request rate
> *per client source address*, rather than limiting the request rate
> across the board. That implies the retention of state, and since
> DNS transactions are brief (and since the client population is
> often large) that can add up to a lot of state to keep at an
> aggregation point like a router.
> There some appliances which are designed to hold large amounts of
> state (e.g. f5's big-ip) but you're talking non-trivial dollars for
> that. Beware enterprise-scale stateful firewall devices which might
> seem like sensible solutions to this problem. They are often not
> suitable for use in front of busy DNS servers (even a few hundred
> new flows per second is a lot for some vendors, despite the
> apparent marketing headroom based on the number of kbps you need to
Folks should also look at some of the DNS appliances (I know, this is
"extra hardware"). Although the usually run BIND, they tend to be
fairly optimized and have extra management functionality that may
help with the rate limiting (if not, its probably a feature request
that the vendors would entertain rapidly, as there's some pretty
intense competition). Some folks to talk to - Infoblox and Bluecat.
If you have really large DNS rate requirements, I'd consider talking
I'm curious as to just how bursty things are - how large of a
departure from normality are we talking about? An order of magnitude?
> You may find that you can install ipfw (or similar) rules on your
> nameservers themselves to do this kind of thing. Take careful note
> of what happens when the client population becomes large, though --
> the garbage collection ought to be smooth and painless, or you'll
> just wind up swapping one worm proliferation failure mode for another.
> Host-based per-client rate limits scale better if there are many
> hosts providing service, e.g. behind a load balancer or using
> something like <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>.
> As to the wider question, cleaning up the infected hosts is an
> excellent goal, but it'd certainly be nice if your DNS servers
> continued to function while you were doing so. Having every non-
> infected customer phone up screaming at once can be an unwelcome
> distraction when you already have more man hours of work to do per
> day than you have (staff * 24).
More information about the NANOG