hello,
i have a bind server (v9) for my mail server , for last 2 days , it send too much traffic , i tried drop requests from ips that send requests , it was good but is temporary solution . named process gets 10 to 15 percent of cpu , also i set these option on bind
clients-per-query 2;
max-clients-per-query 3;

but it was not helpful ;
help suggestion ..

What ARE the requests? BIND has to process a request to a given extent to know if should process it, so that can only ever help so much. sounds like you might want to just use the limit module in iptables to block dns floods

http://falkhusemann.de/blog/2012/07/...th-burst-rate/

You can use limit modules to control number of dns request your server can accept .

You can also use hashlimit module to limit request from a particular ip .

Did you enabled recursion in your named configuration ?

Thanks

Thanks All
for info ,it was DNS Amplification Attack
i set in named .options
recursive-clients 5;
allow-recursion { any; };
allow-query {any;};
clients-per-query 1;
max-clients-per-query 3;
transfers-per-ns 2;
transfers-in 3;
transfers-out 3;


and also install failed2ban for bind (port 53)
till now every thing goes OK..

The .options limiting you did looks good to me but if you search this forum you'll find some recent threads about DNS amplification attacks this including links to NS best practices like CYMRU's ISC BIND templates, etc, etc. (Additionally this provides a nice write-up.) Just saying because there's a difference between utilizing ISC BIND as a caching name service for say only LAN clients and exposing it publicly, being the authoritative name server for domains. In the first case is useful, in the latter it is not. *Reading those docs you could conclude the iptables limit module may be helpful, only as an additional measure, because using it does not address the core problem.