[ratelimits] ratelimiting /24 for <tld>

Sun Jul 8 21:12:09 UTC 2012

Vernon Schryver <vjs at rhyolite.com> wrote:
> > From: Tony Finch <dot at dotat.at>
>
> > dns_rrl() to see the value of fname that was being passed in. This showed
> > that it was usually being called twice per recursive query - see the log
> > extract below. The two fnames are usually the TLD and the qname (in that
> > order), except when the response is not already cached.
>
> Tests using a gdb breakpoint at the call to dns_rrl() confirm my
> expectation that dns_rrl() is called only once when the answer is
> already in the cache and no CNAMEs are involved.

This isn't what I see, so I wonder what the difference is. Here's my code:
https://github.com/fanf2/bind-9/commit/a08dbae

Here's what it logs when I do two queries for api.twitter.com which has
four A records and a TTL of 30s - no CNAMES involved. The second query is
satisfied from the cache. I get the same result with and without DNSSEC
validation.

08-Jul-2012 21:40:45.496 queries: info: client 127.0.0.1#62045 (api.twitter.com): query: api.twitter.com IN A +E (127.0.0.1)
08-Jul-2012 21:40:45.496 rate-limit: debug 1: client 127.0.0.1#62045 (api.twitter.com): checking rate limit for com
08-Jul-2012 21:40:45.496 rate-limit: debug 1: client 127.0.0.1#62045 (api.twitter.com): checking rate limit for twitter.com
08-Jul-2012 21:40:45.496 resolver: debug 1: createfetch: api.twitter.com A
08-Jul-2012 21:40:45.499 database: debug 1: decrement_reference: delete from rbt: 0x807d0b160 api.twitter.com
08-Jul-2012 21:40:47.473 queries: info: client 127.0.0.1#10374 (api.twitter.com): query: api.twitter.com IN A +E (127.0.0.1)
08-Jul-2012 21:40:47.473 rate-limit: debug 1: client 127.0.0.1#10374 (api.twitter.com): checking rate limit for com
08-Jul-2012 21:40:47.473 rate-limit: debug 1: client 127.0.0.1#10374 (api.twitter.com): checking rate limit for api.twitter.com

Here is the options clause from my named.conf, in case there's anything
relevant:

options {
        directory "/var";
        listen-on-v6 { any; };
        listen-on { any; };
        max-cache-size 512M;
        recursive-clients 10000;
        dnssec-validation auto;
        dnssec-lookaside auto;
        dnssec-dnskey-kskonly yes;
        minimal-responses yes;
        zone-statistics yes;
        notify master-only;
        empty-server localhost;
        empty-contact root.localhost;
        rate-limit {
                responses-per-second 20;
                window 10;
        };
};

Regarding random name attacks, I did my test attack against
private.cam.ac.uk (which is about 41,000 records and not signed) and the
queries were accounted against the zone apex, so the random name attack
was rate limited. When I test against cam.ac.uk (about 51,000 records,
plus another 150,000 for DNSSEC) the queries are accounted against the
NSEC records instead which defeats the rate limiter.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
South-east Iceland: Variable 3 or 4, becoming northerly 5 to 7 later. Slight
or moderate. Fog patches in north at first, rain later. Moderate or good,
occasionally very poor in north at first.