You could set a global ratelimit for responses per IP, which is "high enough" for normal use but blocking when they start misbehaving. Just remember to change the size of the netmask used to block, I think the default is a /24 or something. I don't know what a sane level is for you though. We use 100/second and then blocked for 5 seconds, which seems to work fairly well at keeping load down.
Kind Regards Gabriel Fornaeus | Systems technician IT Operations | IP-Only AB | Switchboard: +46188431000 | Direct +46104788241 -----Original Message----- From: bind-users <[email protected]> On Behalf Of von Dein, Thomas Sent: 03 March 2020 13:09 To: [email protected] Subject: How to throttle misconfigured clients? Hello, we're seeing a lot of malformed dns queries to our recursive nameservers like these: 06:38:32.733678 IP client.59003 > nameserver2.53: 21974+ AAAA? notification. (30) 06:38:32.734079 IP nameserver2.53 > client.59003: 21974 NXDomain 0/1/0 (105) 06:38:33.216732 IP client.59003 > nameserver2.53: 63187+ AAAA? antivirusix. (29) 06:38:33.218090 IP nameserver2.53 > client.59003: 63187 NXDomain 0/1/0 (104) 06:38:35.417973 IP client.59003 > nameserver2.53: 53861+ AAAA? kubeinspect. (29) 06:38:35.418420 IP nameserver2.53 > client.59003: 53861 NXDomain 0/1/0 (104) 06:38:37.729107 IP client.59003 > nameserver2.53: 11185+ AAAA? organization. (30) 06:38:37.729539 IP nameserver2.53 > client.59003: 11185 NXDomain 0/1/0 (105) 06:38:38.158519 IP client.59003 > nameserver2.53: 14657+ AAAA? history. (25) 06:38:38.158897 IP nameserver2.53 > client.59003: 14657 NXDomain 0/1/0 (100) 06:38:38.571983 IP client.59003 > nameserver2.53: 29269+ AAAA? go-kms. (24) 06:38:38.572437 IP nameserver2.53 > client.59003: 29269 NXDomain 0/1/0 (99) Obviously these clients (there are many) are misconfigured in some weird way. But sometimes they send valid queries. So, what I'd like to do is to throttle them down somehow when they start to send these queries. And I only want to do this for clients in this specific source network, not for all. The only idea I had so far, was to configure these "zones" as forward zones and add a non-reachable forwarder so that the queries timeout - thus throttling down the clients. But I hope there's a more official or cleaner way to do this. Is this possible? Thanks in advance, Tom _______________________________________________ Please visit https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=02%7C01%7Cgabriel.fornaeus%40ip-only.se%7C086f5ec07f3145e3bb3908d7bf6bcdd8%7C36c980d3ddb24de986d9ecf551d9fde4%7C1%7C0%7C637188342045642498&sdata=iwocX%2BrcgABwMrBjkPnJoVOtZPgVmbYqPnrJROctxUM%3D&reserved=0 to unsubscribe from this list bind-users mailing list [email protected] https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=02%7C01%7Cgabriel.fornaeus%40ip-only.se%7C086f5ec07f3145e3bb3908d7bf6bcdd8%7C36c980d3ddb24de986d9ecf551d9fde4%7C1%7C0%7C637188342045642498&sdata=iwocX%2BrcgABwMrBjkPnJoVOtZPgVmbYqPnrJROctxUM%3D&reserved=0 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
