Limiting/Monitoring the number of DNS queries

kejianshi

Obviously, I agree with Harvy66.  Plus as long as you don't make the DNS server public it should be fairly easy to mitigate a DNS amplification attack.
Or if you can just not use their DNS servers at all, you can promise them a limit of "0".

I seriously doubt that the ONLY DNS server choice you have is the university.  I'm pretty sure you don't want to use their DNS anyway if they are so draconian with their rules.

OpenNIC provides services that are low on peoples radar.  Probably not blocked to you.

List of server IPs by country.  (don't chose white listed ones unless you get on their white list - maybe a good idea)

http://wiki.opennicproject.org/Tier2

Or just click here and see which ones they recommend for you.

http://www.opennicproject.org/

These can be set as your primary DNS in pfsense.  Test them.  Some also answer on 5353

cthomas

Old thread, but I have a question..

I understand that they are limiting DNS requests to their internal DNS Servers, but are they actually blocking DNS requests to the internet?

If not, pfSense has DNS caching built-in..

a. Point pfSense to external name servers (such as OpenDNS or Google's DNS) and configure pfSense to peel off the DNS queries for the University's dns suffixes and send them to their internal name server(s) using the Domain Override function.
        b. Only permit tcp/udp:53 to the pfSense Firewall IPs, force everyone behind your firewall to use you for DNS.

The net effect should be that a good portion of the every-day requests would simply be cached by pfSense, and you'll be limiting the number of queries headed towards the University's name server(s) by redirecting anything NOT for the University to an outside source.

…ct

jkristof94

Hi cthomas!

First of all, thank you for your constructive post. Point a is sadly not possible, because if I use any other DNS server than theirs, they simply do not forward the requests. On the other hand, I could do the caching locally, but those people out there don't care. They wouldn't even care if we cured cancer. The only thing they do care about if we can limit our maximum number of queries to a specific number under any given circumstances. They are very narrow-minded people sadly :( But thank you again. I learned many things looking for the solution and that is what counts :)

kejianshi

Well - Lets say you are using pfsense 2.2
and lets say you are using unbound
and lets say you put into forwarder mode and entered your ISP DNS Server IPs into general setup
Then lets assume unbound is caching, because it is…
Now lets assume you make it such that non of your clients can use any DNS except that provided by pfsense.

Now, since pfsense is caching this will greatly reduce number of DNS requests to the ISP server because pfsense is handling all the requests after the 1st one.

If this isn't good enough, your ISP is retarded and I'm sure will be out of business in no time.

jkristof94

You are right about everything and caching will reduce the number, they want me to have a text box where i can write lets say 50, and pfSense will magically limit the number to 50 at all time. And yes, my ISP is Retarded with a capital R, but is somehow backed by the University, so he will not go out of business (politics maybe?).

kejianshi

Tell him you have figured out how to limit it to no more than 10,000,000 or some number you estimate you wont exceed.

Lie - They do it all the time.