Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] iptables rules inefficient

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] iptables rules inefficient


Chronological Thread 
  • From: Psilo <dns AT psilo.org>
  • To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] iptables rules inefficient
  • Date: Thu, 23 May 2013 09:19:29 +0200

Yes I see a big difference looking at the bandwidth graphs.

Without the iptables filters:

Images intégrées 1

Now WITH the iptables filters:

Images intégrées 2

The average output has been divided by 1000.

Psilo


2013/5/23 Julian DeMarchi <julian AT jdcomputers.com.au>
On 05/21/2013 02:11 AM, Psilo wrote:
> Thanks for your answer.
>
> However I just found out the filter is actually efficient, just the dnstop
> tool captures the packets before they are filtered.
>
> Now I use "dnstop eth0 -R" to see only DNS replies instead of queries, and
> there is nothing with "isc.org" or "ripe.net".
>
> Sorry about this mistake.

If you're blocking on box then you are still going to be receiving a
load of traffic. There is no way to stop the inbound traffic. However by
not responding you should see the traffic drop by a half.

I had to kill a DNS server off last year as the inbound traffic was
still killing me in B/W costs.

--julian



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page