bind9 has no rate limit option

Indeed, this looks useful.

However, performing the rate limiting in the kernel using firewall rules can be more efficient and not require any BIND patches.

There are three mechanisms I can think of for performing this rate limiting today, without waiting for updates:

- Insert iptables hashlimit rules. Here is one suggested rule:
-p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
 --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
 --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse
(The rule was suggested by joerg jungermann in another context at http://mailman.powerdns.com/pipermail/pdns-users/2012-September/009235.html )

- Use phreld to dynamically insert DROP rules for hosts that bypass limits: http://www.digitalgenesis.com/software/phrel/manual/phreld.html (Sadly, not packaged for Ubuntu.) I know this option is preferred by some commercial DNS hosts.

- Use ufw limit to add some quick limits. Since this is intended first and foremost to prevent OpenSSH brute-force connection attempts, the default limits may be too low for applying to DNS. This might still be appropriate for very small installations, however. Your mileage my vary.

I hope this helps. Thanks.

That does help, however I've already uninstalled the Ubuntu bind9 version & created my own from source + patch.

I think fixing the actual problem versus a firewall workaround is a better solution, personally.

I understand that I'd more likely have had a fix if I reported it upstream, but this isn't a new problem as far as my googling shows, & it appears upstream hasn't done anything yet.

However, I appreciate your help & response.

It looks like upstream is adding this. Can we get this moved into an LTS after it is out? Should this still be marked "wishlist" since upstream is taking care of it?

http://www.marketwire.com/press-release/isc-adds-ddos-defense-module-to-bind-software-1814775.htm

It might be possible to bring the feature to 12.04 LTS, through one of two mechanisms:

The Stable Release Update process https://wiki.ubuntu.com/StableReleaseUpdates is usually used to fix high-impact bugs. I'd be prepared to ask the SRU team to include rate-limiting DNS responses as such an issue.

Or, once the feature is in a newer Ubuntu release, you could ask the Backports team to prepare a wholesale backport of the entirely new version of bind9: https://help.ubuntu.com/community/UbuntuBackports

Thanks

Fixed in 1:9.9.3.dfsg.P2-3

I've started a backport request under LP #1218638

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release