bind-users-bounces+wbrown=e1b....@lists.isc.org wrote on 06/15/2012 04:25:16 AM:
> We have a problem with one of our firewalls caused by DNS peaks. > Once or twice a day a DNS burst (20K requests/15sec) kills all > connections on the firewall. > The firewall is due for replacement but in the mean time we would > like to stop these peaks at their origin or at least try to limit > their impact. > > We have 6 dns servers (bind) on our campus, that are all > authoritative for our domains and also resolver for our campus hosts. > Most of our clients however use our AD/LDAP/DNS Microsoft servers as > their resolver, which on their turn contact our 6 dns servers for > further resolving. > > What we figured out by packet capturing, is that at a certain point > in time these AD/LDAP/DNS servers start ?collecting? dns requests > without sending them further and then in a burt pass them on to our > 6 dns servers which try to resolve these queries. Due to the fact > that one request of a client mostly results in several queries of > our dns servers to the outside world (root server contact, NS record > resolving,..) , this results in a burst of dns requests through our > firewalls, killing them. > > I have 2 questions, one, is there a way to rate-limit the amount of > request a single client (the AD servers in this case) can have > standing out against a bind server ? Kind of rate-limiting parameter > for bind name server. > Two, has anyone already seen this type of behavior on a Microsoft > AD/LDAP/DNS server and has a clue what could cause this stalling ? > Solving that would be the best solution. Any chance of using network devices (firewalls, intelligent switches) to rate limit connections from the AD/DNS server to the bind server? Is the odd behavior of the AD/DNS server causing issues with the clients making the original request? Have you tried tracking down the original source of the query? Could that be the ultimate source of the traffic burst? It seems unlikely that MSDNS would intentionally hold DNS requests. Have you tried troubleshooting that? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users