-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13.10.2010 13:28, [email protected] wrote:
>> What is "best practice" to limit the resources used and to be a good >> citizen when using unbound as public DNSSEC aware resolver, or is it >> no recommended at all? > > Still no answer for this one so i guess it is not recommended at all... I guess the limits depend on what you think it takes to be a "good citizen" and how many queries your resolvers usually receive. I run a public Unbound resolver, mainly because my few mobile clients call in from various networks and Unbound doesn't support TSIG. I watch the resolver's munin graphs occasionally and set limits in the munin configuration. Any larger spikes in query rate or network traffic should trigger a warning by mail. The current threshold is set at about 10 times the average query rate (which is very low, anyway). The usual amplification queries for ". NS" come in at <= 1 qps and are hardly noticeable even on a lightly queried server. If you're concerned about that and can live with denying priming queries to your clients, you can drop those with an exact packet filter match. Here's a u32 match expression for Linux netfilter: > -A FORWARD -i eth0 -j DROP -p udp --dport 53 -m u32 --u32 > "0>>22&0...@12>>16=1&&0>>22&0...@20>>24=0&&0>>22&0...@21=0x00020001" HTH, Hauke. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAky1qMsACgkQKIgAG9lfHFPx8ACeM3eNe9haq5UfcMkBHvYzsMK5 nvUAn0389BS72E5QXGBPTq9MPND/H2Zv =diAL -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
