North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS - connection limit (without any extra hardware)

  • From: Daniel Golding
  • Date: Sun Dec 10 12:38:42 2006 
On Dec 8, 2006, at 12:57 PM, Joe Abley wrote:

I think the trouble comes when you want to limit the request rate *per client source address*, rather than limiting the request rate across the board. That implies the retention of state, and since DNS transactions are brief (and since the client population is often large) that can add up to a lot of state to keep at an aggregation point like a router.

There some appliances which are designed to hold large amounts of state (e.g. f5's big-ip) but you're talking non-trivial dollars for that. Beware enterprise-scale stateful firewall devices which might seem like sensible solutions to this problem. They are often not suitable for use in front of busy DNS servers (even a few hundred new flows per second is a lot for some vendors, despite the apparent marketing headroom based on the number of kbps you need to handle).


Folks should also look at some of the DNS appliances (I know, this is "extra hardware"). Although the usually run BIND, they tend to be fairly optimized and have extra management functionality that may help with the rate limiting (if not, its probably a feature request that the vendors would entertain rapidly, as there's some pretty intense competition). Some folks to talk to - Infoblox and Bluecat. If you have really large DNS rate requirements, I'd consider talking to Nominum.

I'm curious as to just how bursty things are - how large of a departure from normality are we talking about? An order of magnitude? Two?

- Dan

You may find that you can install ipfw (or similar) rules on your nameservers themselves to do this kind of thing. Take careful note of what happens when the client population becomes large, though -- the garbage collection ought to be smooth and painless, or you'll just wind up swapping one worm proliferation failure mode for another.

Host-based per-client rate limits scale better if there are many hosts providing service, e.g. behind a load balancer or using something like <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>.

As to the wider question, cleaning up the infected hosts is an excellent goal, but it'd certainly be nice if your DNS servers continued to function while you were doing so. Having every non- infected customer phone up screaming at once can be an unwelcome distraction when you already have more man hours of work to do per day than you have (staff * 24).


Joe