Open Resolver Problems

[owen at delong.com (Owen DeLong)]

It's been available in linux for a long time, just not in BIND?

Here is a working ip6tales example:

-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT

YMMV and you may wish to provide tighter limits (less than 30 QPM or a burst of <90).

Owen





On Mar 27, 2013, at 6:47 AM, William Herrin <bill at herrin.us> wrote:

> On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom at cloudflare.com> wrote:
>> Authoritative DNS servers need to implement rate limiting. (a client
>> shouldn't query you twice for the same thing within its TTL).
> 
> Right now that's a complaint for the mainstream software authors, not
> for the system operators. When the version of Bind in Debian Stable
> implements this feature, I'll surely turn it on.
> 
> Regards,
> Bill Herrin
> 
> 
> -- 
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004