[ratelimits] dramatic effect of turning on RRL in BIND

Vernon Schryver vjs at rhyolite.com
Mon Dec 31 15:05:57 UTC 2012

> From: Feng He <fenghe at nsbeta.info>

> what's the difference between response-per-second and errors-per-second?

>From the documentation:

    ... All requests for all names or types that result in DNS errors
    such as SERVFAIL and FORMERR (but not NXDOMAIN) are considered
    identical. This controls attacks using invalid requests or distant,
    broken authoritative servers. By default the limit on errors is the
    same as the responses-per-second value, but it can be set separately
    with errors-per-second.

> For a production BIND, is responses-per-second 5 too small?

That depends on whether the server is handling recursive requests.

5 resposes/second for a single name and type to a /24 IPv4 or /56 IPv6
address block is a lot for most authoritative servers.  Authoritative
servers should be receiving requests from recursive servers which cache
authoritative responses and so not repeat requests frequently.

Recursive DNS servers that handle requests from application programs
can see many requests for a single name and type within a short
time from the program.  For example an SMTP server (mail receiver)
is likely to make the several DNS requests per mail message.  Whne
receive a burst of bulk mail, many of those requests will be the
same.  An HTTP client (web browser) might also repeat requests to
the local recursive server as it processes <IMG> tags.

Recursive servers can also see what appear to be repeated requests
from a small number of IP addresses that are really from many client
computers behind a NAT box.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list