North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DNS - connection limit (without any extra hardware)
- From: Daniel Golding
- Date: Sun Dec 10 12:38:42 2006
On Dec 8, 2006, at 12:57 PM, Joe Abley wrote:
I think the trouble comes when you want to limit the request rate
*per client source address*, rather than limiting the request rate
across the board. That implies the retention of state, and since
DNS transactions are brief (and since the client population is
often large) that can add up to a lot of state to keep at an
aggregation point like a router.
There some appliances which are designed to hold large amounts of
state (e.g. f5's big-ip) but you're talking non-trivial dollars for
that. Beware enterprise-scale stateful firewall devices which might
seem like sensible solutions to this problem. They are often not
suitable for use in front of busy DNS servers (even a few hundred
new flows per second is a lot for some vendors, despite the
apparent marketing headroom based on the number of kbps you need to
Folks should also look at some of the DNS appliances (I know, this is
"extra hardware"). Although the usually run BIND, they tend to be
fairly optimized and have extra management functionality that may
help with the rate limiting (if not, its probably a feature request
that the vendors would entertain rapidly, as there's some pretty
intense competition). Some folks to talk to - Infoblox and Bluecat.
If you have really large DNS rate requirements, I'd consider talking
I'm curious as to just how bursty things are - how large of a
departure from normality are we talking about? An order of magnitude?
You may find that you can install ipfw (or similar) rules on your
nameservers themselves to do this kind of thing. Take careful note
of what happens when the client population becomes large, though --
the garbage collection ought to be smooth and painless, or you'll
just wind up swapping one worm proliferation failure mode for another.
Host-based per-client rate limits scale better if there are many
hosts providing service, e.g. behind a load balancer or using
something like <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>.
As to the wider question, cleaning up the infected hosts is an
excellent goal, but it'd certainly be nice if your DNS servers
continued to function while you were doing so. Having every non-
infected customer phone up screaming at once can be an unwelcome
distraction when you already have more man hours of work to do per
day than you have (staff * 24).