Question : DNS Query Rate Control

We have several public facing DNS servers, all of which are constantly being queried looking for updates by what we assume to be spammers.  We tested this theory by setting up a dummy MX record pointing to a SMTP server, we made the DNS change and within seconds emails began flowing into the SMTP server. Our network analyzer shows thousands of DNS queries, many from the same IP hitting all of our DNS servers at any given time.

My question is pretty simple, though the answer may not be, is it possible to set a rate control on DNS queries to a DNS server, whereby we could say, a single IP address can only query our DNS server x amount of times per second or per minute? Can this be done on the DNS server level or does it need to be done at a higher networking level?

We're currently using Windows 2003 DNS, however we're certainly not opposed to migrating to another DNS platform if that's what it takes to accomplish this.

Thank you in advanced for any comments/feedback.

Answer : DNS Query Rate Control

ah.. sorry, my mistake, it's a long time since I managed public BIND server.

There is no rate limiting in BIND pr IP or host, but it does have rate limiting on how many clients it can concurrently serve (default is 1000).

For rate limiting pr IP, you should use some *nix version or BSD, I would never recommend using Windows as a OS for BIND.
In those *nix or BSD OS'es, you have pretty good control with the built-in firewall, which let you rate limiting pr IP.

However, setting up a brand new box with BIND may be to much work, I think you better go with tuning your main firewall. Many mid-high range firewalls have capabilities to throttle down traffic based on rules you set up (ie Checkpoint, Juniper).

One ISP I worked for, used their main firewall to do simple port blocking of the DNS servers (except well known DNS ports) , and then use the built-in firewall in the *nix OS to do more in depth analysis, like rate-limiting, auto-block etc.