Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] iptables rules inefficient

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] iptables rules inefficient


Chronological Thread 
    < Chronological >      < Thread >
  • From: Julian DeMarchi <julian AT jdcomputers.com.au>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] iptables rules inefficient
  • Date: Thu, 23 May 2013 10:26:37 +1000
On 05/21/2013 02:11 AM, Psilo wrote:
> Thanks for your answer.
>
> However I just found out the filter is actually efficient, just the dnstop
> tool captures the packets before they are filtered.
>
> Now I use "dnstop eth0 -R" to see only DNS replies instead of queries, and
> there is nothing with "isc.org" or "ripe.net".
>
> Sorry about this mistake.

If you're blocking on box then you are still going to be receiving a
load of traffic. There is no way to stop the inbound traffic. However by
not responding you should see the traffic drop by a half.

I had to kill a DNS server off last year as the inbound traffic was
still killing me in B/W costs.

--julian


Archive powered by MHonArc 2.6.19.

Top of Page