Limiting/Monitoring the number of DNS queries

  • Hello, I have recently became the network administrator in a dormitory, and have a few questions about traffic shaping, and a specific problem.
    My problem is, that we have a DNS Server on the network from the ISP, which has a limit of queries/s. Recently the DNS Server refused to translate our request, so I contacted the ISP, and he told me, that we reached our limit of queries, so the DNS blocked us. He also told me, that this might be because of the uncontrolled usage of torrenting. So my questions would be :

    1. Can torrent generate large number of requests, can it come from one user, is it in correlation with the amount of data transferred?

    2. Can I wipe torrenting out on our network on the system, and not the user level? Contacting the users does not help sadly.

    3. Can I limit/monitor the number of DNS queries per user, and/or per interface?

    Thank you very much in advance if you take the time to read, and answer my questions. Also I am new to the forum, so I might have made some mistakes in the posting.

  • 1.  You can set your torrent client to not resolve IP addresses in the swarm to hostnames.  That would cut down on lookups.  What ISP in the world cares about that, though?  DNS isn't exactly a high-load service.  Maybe someone is using their DNS for an amplification attack?

    2.  Managing torrent traffic is not easy as most bittorrent clients try to avoid detection by using encryption.  You might have an easier time setting up traffic shaping and classifying all unknown traffic (including torrent) into a low priority queue.

    3.  The firewall typically only logs blocked traffic.  You could create a firewall rule that explicitly allows access to the ISP DNS and set that rule to log.  Then you would have a record of all DNS requests.  If it's that much of a problem, you may want to configure your own caching DNS to take some of the load off your ISP, or tell your ISP to get stuffed and use OpenDNS or Google DNS.  I'd probably go with the latter solution.

  • Hi KOM, and thank you for your reply!

    I forgot to mention that our ISP is the University, that is why they take things seriously, almost every university is on this line. Now, I can add Google DNS to the list of DNS server, however, it is ineffective, since they block it :( We can only use their DNS. Hurray :S About those log files. I am interested in somehow logging all the DNS traffic into one, or separate files, preferably with the IP address also logged. Then I would be able to code a little in say PHP, to display those, who saturate the network. Can you show me the way I can do the logging? BTW I am not afraid of coding!

    Too bad there is no way to limit the number of packets going out on the LAN/WAN interface by IP and by the port number, because then i could easily create a rule to limit traffic on port 53 per IP per a time interval.

    Anyway, thank you for your help!

  • Just add a LAN rule like this and check its Log checkbox:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
      IPv4* *     *   *          53    *       none             Allow LAN to any port 53 rule

  • Thank you very much!

    I still have to tweak the system here and there, but I will manage from here on :)

    Have a nice day!

  • You can run your own DNS server.

  • Hi kejianshi!

    I theory i could do it, but AFAIK it would only be a caching DNS server, which does take off some load from the main DNS, but we were given a promise that they will put us on a better server, if we locally limit the number of our queries to a number say 3000. Although, we would improve response time with the caching. If I was to implement it, which package should i choose, and what are the settings required to run it?

    Thank you in advance.

  • You could run BIND.

  • Thank you. I will first try to do the counting of the requests, than limiting, and then the local DNS caching. If all goes well, i will post a summary, so if someone needs it, the answer will be here.

  • Maybe you can pick up a wifi signal and have Unbound use the wifi for connection to the root DNS servers. It would be relatively low bandwidth. Set your caching to a very large number to reduce the load. Just a random idea.

    Or just let the DNS get blocked, then tell the students to complain when "the internet breaks". It's not your fault they block outside DNS access, then aggressively limit the number of queries. I don't know about your Uni, but I worked for IT at mine, and if someone made a change the interfered with the student's ability to study or do homework, that's grounds for firing.

  • This is just me, but to make the internet zoom, I'd probably run all the http traffic through squid, run a private caching DNS server and whatever else might improve network performance.  With lots and lots of students online all those packages that make little or no difference to a home user might actually speed things up quite a bit for your network.

  • Hi kejianshi!

    The caching DNS is a qood idea, but the problem is, we need to be rock-solid that we do not make more than a certain number of queries in a specified amount of time. Many of us here are IT students, some of then like to experiment sometime. Problem is, if we get on the main DNS of our network, and someone launches a DDOS attack, i will partially be responsible for letting it happen. I know, that this is all theory, but they asked us to limit the queries, and we will be free from this penalty DNS. After and only after that happens, I can implement all kinds of things to improve performance. Anyway, thank you for your response. So far I am able to log the number of request. Problem is, pfsense uses clog for this, and it can not be tweaked for setting file size and things like that. The command i use to count the number of requests is

    grep '192.168.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,5} >' filter.log | sort -k6 | cut -c 1-42 | uniq -c -s 20 | sort -k1

    This shows the request by IP in order.

  • If one of you has a very good and reliable internet elsewhere, like home or office or whatever, you could also make pfsense a client to a vpn there and route ONLY DNS requests to that network.  Otherwise I'm coming up short of ideas how to limit DNS requests.

  • This is getting very interesting. So far, we are more likely to succeed in routing our DNS traffic through some VPN connection to somewhere, than make pfSense limit the number of queries. This is just wow :D Also, I totally agree with you Harvy66 about the mentality, but i don't know about the wifi.

  • Notice I didn't say it was impossible or that my way was the best way.  But I do know 100% for sure that it works because ALL my traffic is routed through a remote server and I use that pfsense private IP for DNS.  Personally I think "limiting" DNS queries at all is a terrible idea.  Unless you wish to treat it as a DDOS attack?  In which case I suppose you could put in a firewall rule to rate limit requests on port 53 to your pfsense?  Basically, you would have to figure out what you believe is a legitimate threshold for "abuse" for DNS requests per minute or per second.  Then set up a firewall rule that blocks someone making more than that number of requests per unit time.  I mean that really is what we are talking about doing when you get right down to it.

  • Exactly! That is what I would like to do. Limit the number of queries in a certain time bracket. But the question is, how? :)

  • When you create an allow rule on the LAN, you can scroll down towards the bottom of the rule and click advanced.

    When I do that I see that the limiting features only seem to apply to TCP only.  DNS queries use UDP  )-:

    It seems like fate wants you to stand up a DNS server…

  • I have also checked it, and yes, it is for TCP only :( No clue why DNS uses UDP though…

  • @jkristof94:

    Problem is, if we get on the main DNS of our network, and someone launches a DDOS attack, i will partially be responsible for letting it happen.

    And someone launches a DDOS? That has nothing to do with DNS, other than improperly configured DNS servers and the ISP allowing forged UDP packets. Are you routing packets that aren't part of your subnet? Then fix that. No more DNS DDOS problems.

    Having access to DNS is only a DDOS vector when the admins on both sides are not doing their jobs. You don't need break the Internet by rate limit DNS queries unless your DNS server is so under-powered that it can't handle a client spamming it with lookup requests. At that point, invest into a $25 Raspberry Pi for a DNS caching server.

    Sorry for being so negative, but DDOS via DNS is not a complicated issue and doesn't require draconian rules. The issue isn't technical, it's political, and I hate those kinds of problems.

    In other words, get the policy fixed. If possible. I know I've had to escalate issues like these in the past.

  • I do have a Raspberry Pi, but I am not going to use it for this purpose, because this is the ISP's stupid idea, and I am not going to waste my resources to fix his problems. Thing is, the DNS is not underpowered, they just simply say, here is the internet for dirt-money, but we limit you, because we can. Sadly this is what is happening. DDOS in this context is not that DDOS, I just called it like that for easy understanding. It is not happening on purpose, at least not that I know.

    TL;DR The ISP gives us dirt-cheap Gigabit internet, but we get a DNS limit, because they can do it. However if we limit our number of queries to (and I quote them) a random number, they will put us on a better DNS, with only the limit we set. So that is my problem.

    For them, I could be Superman and save the Earth, all they would care about at the end of the day is, if we have a limit or not. So… :)

  • Obviously, I agree with Harvy66.  Plus as long as you don't make the DNS server public it should be fairly easy to mitigate a DNS amplification attack.
    Or if you can just not use their DNS servers at all, you can promise them a limit of "0".

    I seriously doubt that the ONLY DNS server choice you have is the university.  I'm pretty sure you don't want to use their DNS anyway if they are so draconian with their rules.

    OpenNIC provides services that are low on peoples radar.  Probably not blocked to you.

    List of server IPs by country.  (don't chose white listed ones unless you get on their white list - maybe a good idea)

    Or just click here and see which ones they recommend for you.

    These can be set as your primary DNS in pfsense.  Test them.  Some also answer on 5353

  • Old thread, but I have a question..

    I understand that they are limiting DNS requests to their internal DNS Servers, but are they actually blocking DNS requests to the internet?

    If not, pfSense has DNS caching built-in..

    a. Point pfSense to external name servers (such as OpenDNS or Google's DNS) and configure pfSense to peel off the DNS queries for the University's dns suffixes and send them to their internal name server(s) using the Domain Override function.
            b. Only permit tcp/udp:53 to the pfSense Firewall IPs, force everyone behind your firewall to use you for DNS.

    The net effect should be that a good portion of the every-day requests would simply be cached by pfSense, and you'll be limiting the number of queries headed towards the University's name server(s) by redirecting anything NOT for the University to an outside source.


  • Hi cthomas!

    First of all, thank you for your constructive post. Point a is sadly not possible, because if I use any other DNS server than theirs, they simply do not forward the requests. On the other hand, I could do the caching locally, but those people out there don't care. They wouldn't even care if we cured cancer. The only thing they do care about if we can limit our maximum number of queries to a specific number under any given circumstances. They are very narrow-minded people sadly :( But thank you again. I learned many things looking for the solution and that is what counts :)

  • Well - Lets say you are using pfsense 2.2
    and lets say you are using unbound
    and lets say you put into forwarder mode and entered your ISP DNS Server IPs into general setup
    Then lets assume unbound is caching, because it is…
    Now lets assume you make it such that non of your clients can use any DNS except that provided by pfsense.

    Now, since pfsense is caching this will greatly reduce number of DNS requests to the ISP server because pfsense is handling all the requests after the 1st one.

    If this isn't good enough, your ISP is retarded and I'm sure will be out of business in no time.

  • You are right about everything and caching will reduce the number, they want me to have a text box where i can write lets say 50, and pfSense will magically limit the number to 50 at all time. And yes, my ISP is Retarded with a capital R, but is somehow backed by the University, so he will not go out of business (politics maybe?).

  • Tell him you have figured out how to limit it to no more than 10,000,000 or some number you estimate you wont exceed.

    Lie - They do it all the time.

Log in to reply