zos icon indicating copy to clipboard operation
zos copied to clipboard

Published 20 hours ago verified publisher icon threefoldtech

DNS rate limit

Open sabrinasadik opened this issue 2 years ago • 3 comments

Rate-limit DNS queries for VMs to 15/sec to alleviate popular DNS amplification and reflector attacks

sabrinasadik avatar Jul 10 '23 12:07 sabrinasadik

@delandtj this was supposed to be part of 3.11 release, will you be able to help or should it get moved to 3.12?

xmonader avatar Jul 26 '23 17:07 xmonader

Beside limiting queries on zos network, we also should make sure that we always run some dns cache in all our images. (not sure what are the available options but i know of dnsmasq)

muhamadazmy avatar Oct 30 '23 09:10 muhamadazmy

Rate-limit DNS queries for VMs to 15/sec to alleviate popular DNS amplification and reflector attacks

@sabrinasadik how we get the number(15)?

How about making the limit per X seconds (maybe X = 5, 10) instead of one second to accomodate burst of traffic from the users. We can do the limit using nftables (as suggested by Jan)

we also should make sure that we always run some dns cache in all our images

i fully agree with this and i think it should become mandatory thing to do. In default ubuntu 24.04 installation on my PC and a digitalocean VM, i found that systemd-resolved already used for the resolver + caching.

iwanbk avatar Aug 14 '24 07:08 iwanbk