[ratelimits] ratelimiting /24 for <tld>

paul vixie paul at redbarn.org
Sun Jul 8 16:14:55 UTC 2012

On 7/7/2012 6:23 PM, Tony Finch wrote:
> ...
> Most of the recursive queries on this box are for web browsing.

let me strongly suggest that for now you run your recursive service
inside a view that has no rate limiting. the current logic appears to be
excellent for authority servers but inadequate for recursives. the way
to protect your recursive from ddos abuse is with an ACL on your name
servers so that you only answer clients on trusted networks, and uRPF on
your routers so that you won't accept on-net source addresses from off-net.

we're working on logic to support recursives, but it's much harder since
clients of recursives don't have caches and the meaning of a repeated
query is completely different. for now, anything you do with DNS RRL and
recursive name servers is near-guaranteed to end badly.


More information about the ratelimits mailing list