On Wed, 3 Aug 2022 13:47:41 +0200 Victor Johansson via bind-users <bind-users@lists.isc.org> wrote:
> Hey, > > I just want to add that there is a better way to do this in iptables > with hashlimit. The normal rate limit in iptables is too crude. > > Below is an example from the rate-limit-chain, to which you simply send > all port 53 traffic from the INPUT chain (make sure to exclude > 127.0.0.1/127.0.0.53 though :) ). > > > -A INPUT -p udp -m udp --dport 53 -j DNS-RATE-LIMIT > -A INPUT -p tcp -m tcp --dport 53 -j DNS-RATE-LIMIT > > -A DNS-RATE-LIMIT -s 127.0.0.1/32 -m comment --comment "Dont rate-limit > localhost" -j RETURN > -A DNS-RATE-LIMIT -m hashlimit --hashlimit-upto 100/sec > --hashlimit-burst 300 --hashlimit-mode srcip --hashlimit-name DNS-drop > --hashlimit-htable-expire 2000 -j ALLOW > -A DNS-RATE-LIMIT -m limit --limit 1/sec -j LOG --log-prefix "DNS-drop: " > -A DNS-RATE-LIMIT -m comment --comment "ansible[dns rate limiting]" -j DROP > > > //Victor > I was using iptables hashlimit for a while but stopped. It wasn't really solving my main problem, which was not so much "overloading" my BIND server as causing my log files to get filled with useless warnings about bad queries (or packets dropped). It would be nice if BIND had way to record such error messages into a dumpable table with query, source IP and count. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users