[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Zuleger, Holger, Vodafone Germany holger.zuleger at vodafone.com
Mon Jun 11 07:11:48 UTC 2012


> > to that end, vernon schryver and i have been exploring rate 
> limiting in
> > BIND 9. there's a patch available, which i've so far offered only to
> > anyone whose server is currently getting abused. what i'm 
great.

> > config {
> >     // ...
> >         rate-limit {
> >                 responses-per-second 5;
> >                 window 5;
> >         };
> > };
> 
> I'm afraid we may need more control. If my clients are 
> generating a DDoS
> attack at 20 responses per second, and I limit this to 5 per second -
> the C&C can get the same effect by mobilizing four times as 
> many clients
> to do the job. On my wishlist, in addition to rate limiting, is also:
> 
> - Some way of dynamically blackholing clients, based on one or more of
> -- Rate limit exceeded
> -- Asking the *same* question (with a large response) repeatedly
> -- Asking a *specific* question (e.g. ANY isc.org|ripe.net)
> -- Input from an external system, e.g. via rndc
What about rate limiting clients which are not keeping the TTL value?
We are talking about rate limiting on authoritative name servers, right?




More information about the dns-operations mailing list