[167434] in North American Network Operators' Group
Re: Best practice on TCP replies for ANY queries
daemon@ATHENA.MIT.EDU (Carlos Vicente)
Wed Dec 11 14:32:13 2013
In-Reply-To: <CAJ0+aXZ5kC=ngBYdZbK2A+d296uVotdyTHBii4NgJTtbdyGhDw@mail.gmail.com>
Date: Wed, 11 Dec 2013 14:26:05 -0500
From: Carlos Vicente <cvicente.lists@gmail.com>
To: Anurag Bhatia <me@anuragbhatia.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If you are using BIND, take a look at:
https://kb.isc.org/article/AA-01000
cv
On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
> Hello everyone
>
>
> I noticed some issues on one of DNS server I am managing. It was getting
> queries for couple of attacking domains and server was replying in TCP with
> 3700 bytes releasing very heavy packets. Now I see presence of some
> (legitimate) DNS forwarders and hence I don't wish to limit queries.
>
>
> As I understand there are two ways here for fix:
>
>
> 1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
> in every one min. (but again I have some forwarders with quite a few
> machines behind them).
>
> 2. Other way is limiting TCP port 53 outbound size ...limiting to say
> 600-700 bytes or so.
>
>
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>
>
> Thanks.
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
> Twitter<https://twitter.com/anurag_bhatia>
> Skype: anuragbhatia.com
>
