[Pdns-users] Handling packet flood from one client.

Leen Besselink leen at wirehub.nl
Wed Jan 28 11:58:33 UTC 2009

Ton van Rosmalen wrote:
> Leen Besselink schreef:
>> On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
>>> Obviously; but that's being reactive; I was looking for something more
>>> proactive.  --Augie
>> I've not tested it, but I understand the u32 option is available on Debian/Linux for example:
>> http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
>> That might do what you want.
> How about rate limiting using iptables? You'd have to determine some 
> sort general usage rule or manually add ip addresses to he list that's 
> limited.
I didn't know iptables had an easy way to do this per source-address in 
iptables. But I've looked around and possible the recent-iptables-module 
would be able to do so:


OpenBSD's PF would probably be able to though:


I just had a list of IP-addresses and only return a small packet for the 
rest, but I'm definitly still considering changing it, because there are 
a few new ones every few days.

Although someone on the NANOG-mailinglist I read sends an update each 
time, I most say, that's convenient too. :-)

I don't particularly like rate-limiting something important as DNS for 
were I work.

PS You were probably not aware of it but please don't send HTML-only 
e-mails to mailinglists some people don't like it. Thunderbird does 
supports it I think.
> Regards,
> Ton

More information about the Pdns-users mailing list