[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open Resolver Problems
- Subject: Open Resolver Problems
- From: mdavids at forfun.net (Marco Davids)
- Date: Wed, 27 Mar 2013 19:44:47 +0100
- In-reply-to: <[email protected]>
- References: <[email protected]> <[email protected]> <CAEmG1=oXXwHObBcBaRTFTj9-uyq_dFfB4j63LAmKp8Y4hdT+Wg@mail.gmail.com> <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com> <CAP-guGWQjOVEJ4OCEn3sJuHLwq-hwg=g-7WdzAuhj77Uj3i4Cg@mail.gmail.com> <[email protected]>
Op 27-03-13 16:54, Owen DeLong schreef:
> It's been available in linux for a long time, just not in BIND?
Not entirely true:
http://www.redbarn.org/dns/ratelimits
>
> Here is a working ip6tales example:
>
Tricky...
There is also the 'hashlimit' module (at least for v4, not sure about
v6), that may be a better approach, because it works on a 'per ip
address'-basis.
See https://lists.isc.org/pipermail/bind-users/2012-July/088223.html for
some inspiration of how it may be of value.
--
Marco
On Mar 27, 2013, at 6:47 AM, William Herrin <bill at herrin.us> wrote:
>> On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom at cloudflare.com> wrote:
>>> Authoritative DNS servers need to implement rate limiting. (a client
>>> shouldn't query you twice for the same thing within its TTL).
>> Right now that's a complaint for the mainstream software authors, not
>> for the system operators. When the version of Bind in Debian Stable
>> implements this feature, I'll surely turn it on.
>>
>> Regards,
>> Bill Herrin
>>
>>
>> --
>> William D. Herrin ................ herrin at dirtside.com bill at herrin.us
>> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>> Falls Church, VA 22042-3004
>
--
Marco Davids
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4432 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130327/b966432a/attachment-0001.bin>