Analysis of DNS queries coming in was able to determine an average of 5 requests per second per IP.

This figure could be set as the limit for the firewall, however to prevent instances where a lot of valid requests come in a relatively short amount of time, it is better to not measure over a single second but an average over a longer period. For example, as it's been determined that there is an average of 5 requests per second, then that would mean that over 10 seconds there would be an average of 50 requests.

To tighten the security even more, the firewall is also set to allow a maximum of 15 requests per second per IP.

#!/bin/bash
# This script limits the queries per second to 5/s
# with a burst rate of 15/s and does not require
# buffer space changes
 
# Requests per second
RQS="15"
 
# Requests per 10 seconds
RQH="50"
 
iptables --flush
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 7 --hitcount ${RQH} --name DNSHF --rsource -j DROP