[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Best practice on TCP replies for ANY queries
- Subject: Best practice on TCP replies for ANY queries
- From: cvicente.lists at gmail.com (Carlos Vicente)
- Date: Wed, 11 Dec 2013 14:26:05 -0500
- In-reply-to: <CAJ0+aXZ5kC=ngBYdZbK2A+d296uVotdyTHBii4NgJTtbdyGhDw@mail.gmail.com>
- References: <CAJ0+aXZ5kC=ngBYdZbK2A+d296uVotdyTHBii4NgJTtbdyGhDw@mail.gmail.com>
If you are using BIND, take a look at:
https://kb.isc.org/article/AA-01000
cv
On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia <me at anuragbhatia.com> wrote:
> Hello everyone
>
>
> I noticed some issues on one of DNS server I am managing. It was getting
> queries for couple of attacking domains and server was replying in TCP with
> 3700 bytes releasing very heavy packets. Now I see presence of some
> (legitimate) DNS forwarders and hence I don't wish to limit queries.
>
>
> As I understand there are two ways here for fix:
>
>
> 1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
> in every one min. (but again I have some forwarders with quite a few
> machines behind them).
>
> 2. Other way is limiting TCP port 53 outbound size ...limiting to say
> 600-700 bytes or so.
>
>
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>
>
> Thanks.
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
> Twitter<https://twitter.com/anurag_bhatia>
> Skype: anuragbhatia.com
>