Am Donnerstag, 18. September 2014, 17:11:36 schrieb R. Sterenborg: > On 09/18/2014 03:50 PM, Lars Dam wrote: > > We suffer from DNS lookups with a response IP address which is not > > existing. > > > > Can Iptables check on this? > > What is it you actually want iptables to do? Do you want it to check if > the IP address that the DNS server responds with exists and is in use? > Or..? Maybe the DNS server should be fixed instead of trying to go this way. > > Iptables (well, Netfilter) is a packet filter. You can filter packets > that match a rule that you define. It can't validate your DNS server's > output iptables cannot help you since the source IP address presumably varies. If the source address does not vary than iptables can help you. Just google "iptables rate limit" Anyway, it seems that you operate a open resolver on your server. Please google, why this is not a good idea. But if you really want to run a open resolver, than read the docs of your DNS server how to limit the request rates. For bind, see: http://ss.vix.su/~vjs/rl-arm.html . Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Attachment:
signature.asc
Description: This is a digitally signed message part.
