Best practice on TCP replies for ANY queries

Carlos Vicente cvicente.lists at gmail.com
Wed Dec 11 19:26:05 UTC 2013


If you are using BIND, take a look at:

https://kb.isc.org/article/AA-01000

cv


On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia <me at anuragbhatia.com> wrote:

> Hello everyone
>
>
> I noticed some issues on one of DNS server I am managing. It was getting
> queries for couple of attacking domains and server was replying in TCP with
> 3700 bytes releasing very heavy packets. Now I see presence of some
> (legitimate) DNS forwarders and hence I don't wish to limit queries.
>
>
> As I understand there are two ways here for fix:
>
>
>    1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
>    in every one min. (but again I have some forwarders with quite a few
>    machines behind them).
>
>    2. Other way is limiting TCP port 53 outbound size ...limiting to say
>    600-700 bytes or so.
>
>
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>
>
> Thanks.
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
> Twitter<https://twitter.com/anurag_bhatia>
> Skype: anuragbhatia.com
>


More information about the NANOG mailing list