Morning Everyone!! I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables. I’m using a modified script who works perfectly, but I’m limited for one of the settings.
Here is the script. :INPUT ACCEPT [548:41223] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4439:1270057] -A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m recent --set --name dnsanyquery --mask 255.255.255.255 --rsource -j LOG --log-prefix "IPTables-Dropped: " -A INPUT -p udp -m udp --dport 53 -m recent --rcheck --seconds 1 --hitcount 20 --name dnsanyquery --mask 255.255.255.255 --rsource -j LOG COMMIT The next combination (--seconds 1 --hitcount 20) allow a max of 20 qps. The fact is that the hitcount does not allow to use a number upper than 20. An I’m looking for some rules which allow me to rate limit over 200 or 300 qps. And a cannot find it!! As you can see, I’m only logging to a file these queries up to 20 per second, after that I’m using fail2band to block these logged queries. Someone knows a better way to block queries upper to 300 per second. I’m losing a lot of time. Rate limiting to prevent DDos is killing my brain. :-) How do you rate limit your DNS servers? Thanks in advance. Alejandro.
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users