iptables connlimit for DNS?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Is doing this overkill?

/usr/sbin/iptables -A INPUT -p tcp -i eth0 --dport 53 -m connlimit !
--connlimit-above 10 -j ACCEPT

Is there no good reason to want to set a maximum number of simultaneous
connections to port 53?  to stop flooding.  How long does a single
lookup take?  does a lookup actually close the connection/port after its
done?  I don't know how traffic on port 53 happens like I do on other ports.


Re: iptables connlimit for DNS?

Quoted text here. Click to load it

Actually it won't change anything, since DNS lookups are done via UDP.
Further, if you install a DNS cache and activate its anti-flood
mechanisms, then there won't be a need for special Netfilter treatment


Site Timeline