On Jun 15, 2012, at 4:25 AM, Holemans Wim wrote: > We have a problem with one of our firewalls caused by DNS peaks.
Yes. <EOM> W > Once or twice a day a DNS burst (20K requests/15sec) kills all connections on > the firewall. > The firewall is due for replacement but in the mean time we would like to > stop these peaks at their origin or at least try to limit their impact. > > We have 6 dns servers (bind) on our campus, that are all authoritative for > our domains and also resolver for our campus hosts. > Most of our clients however use our AD/LDAP/DNS Microsoft servers as their > resolver, which on their turn contact our 6 dns servers for further resolving. > > What we figured out by packet capturing, is that at a certain point in time > these AD/LDAP/DNS servers start ‘collecting’ dns requests without sending > them further and then in a burt pass them on to our 6 dns servers which try > to resolve these queries. Due to the fact that one request of a client mostly > results in several queries of our dns servers to the outside world (root > server contact, NS record resolving,..) , this results in a burst of dns > requests through our firewalls, killing them. > > I have 2 questions, one, is there a way to rate-limit the amount of request > a single client (the AD servers in this case) can have standing out against a > bind server ? Kind of rate-limiting parameter for bind name server. > Two, has anyone already seen this type of behavior on a Microsoft AD/LDAP/DNS > server and has a clue what could cause this stalling ? Solving that would be > the best solution. > > Thanks in advance for any suggestion, answer, > > Wim Holemans > Netwerkdienst Universiteit Antwerpen > Network Services University of Antwerp > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Curse the dark, or light a match. You decide, it's your dark. -- Valdis Kletnieks _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
