Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add rate limit options #118

Closed
wispr opened this issue Jul 1, 2014 · 7 comments
Closed

add rate limit options #118

wispr opened this issue Jul 1, 2014 · 7 comments

Comments

@wispr
Copy link

@wispr wispr commented Jul 1, 2014

Rate limiting was introduced in 9.10 of bind and is a great tool to limit DDoS attacks, but the option is missing in global and view options.
http://www.zytrax.com/books/dns/ch7/hkpng.html#rate-limit

@framirezu
Copy link

@framirezu framirezu commented Jul 7, 2014

this is a necessary requirement for large deployments.
I join.+1

@WillyXJ WillyXJ added this to the 2.0 release milestone Aug 22, 2014
WillyXJ added a commit that referenced this issue Dec 18, 2014
WillyXJ added a commit that referenced this issue Jan 2, 2015
Just need to support multiple responses-per-second in the buildconf
WillyXJ added a commit that referenced this issue Jan 2, 2015
Multiple responses-per-second are now built
@WillyXJ
Copy link
Owner

@WillyXJ WillyXJ commented Jan 2, 2015

This support has been added to v2.0-alpha2 and later for BIND 9.9.4 and later.

@WillyXJ WillyXJ closed this Jan 2, 2015
@WillyXJ
Copy link
Owner

@WillyXJ WillyXJ commented Dec 7, 2016

It seems named does not allow for multiple rate-limit declarations - at least in my additional tests - even though the zytrax page shows multiples are allowed.

Sep 19 16:28:42 fm-dns-t4 named[1342]: loading configuration from '/etc/bind/named.conf'
Sep 19 16:28:42 fm-dns-t4 named[1342]: /etc/bind/named.conf.options:82: 'rate-limit' redefined near 'rate-limit'

Here are the relevant entries in my test named.conf:

77 	rate-limit {
78 		all-per-second 600;
79 		errors-per-second 80;
80 		max-table-size 153;
81 	};
82 	rate-limit {
83 		domain sub.test-domain.com;
84 		all-per-second 10;
85 	};

This particular test system is running BIND 9.9.5-9+deb8u6-Debian and ISC states 9.9.4 and later have rate-limit support. Has anyone got a working configuration with multiple rate-limit options defined or does it truly only support one delcaration?

@WillyXJ WillyXJ reopened this Dec 7, 2016
@chandro
Copy link

@chandro chandro commented Apr 9, 2019

dont know why should be double if you have the same option, just changing the time (all-per-second)

i used this one, and is working

rate-limit {
responses-per-second 10; // covers non-empty identical queries
referrals-per-second 4;
nxdomains-per-second 3;
errors-per-second 2;
nodata-per-second 1;
exempt-clients { 127.0.0.1; ::1; 2001🔢1234::1; };
all-per-second 20; // covers all queries from client
slip 2; // The slip parameter allows the DNS to set the Truncate (TC) bit in the response which has the effect of forcing the requestor to use TCP.
};

i know this issue is old and maybe is already fixed.

@WillyXJ
Copy link
Owner

@WillyXJ WillyXJ commented May 14, 2019

@chandro - Thanks for the reply. The issue is still outstanding. According to the documentation (both zytrax and BIND ARM), multiple rate-limit statements seem to be allowed so you can define different limits per domain (see example above). It's also likely I'm misunderstanding the docs.

@WillyXJ
Copy link
Owner

@WillyXJ WillyXJ commented May 14, 2019

I believe this is a bug with BIND.

Bug report filed - https://gitlab.isc.org/isc-projects/bind9/issues/1031

@WillyXJ
Copy link
Owner

@WillyXJ WillyXJ commented May 30, 2019

Defining multiple name space rate-limit entries is only supported in the subscription edition of BIND. The support for it in fmDNS will remain as-is because some users may have the SE version.

@WillyXJ WillyXJ closed this May 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants