[ratelimits] RRL patches for 9.8.4 and 9.9.2
Jared Mauch
jared at puck.nether.net
Mon Oct 22 20:02:16 UTC 2012
fyi: i'm now running this on puck with 9.9.2
On Oct 22, 2012, at 2:29 PM, paul vixie <paul at redbarn.org> wrote:
> at <http://www.redbarn.org/dns/ratelimits> there are now patches for
> BIND9 9.8.4 and 9.9.2. we are also announcing a new knob, described as
> follows:
>
> UDP responses of all kinds can be limited with the all-per-second
> phrase. This rate limiting is similar to the rate limiting offered
> by firewalls. When performed in a DNS server it is inferior to the
> other rate-limit forms, because it ignores the contents of responses
> to a block of IP addresses. The rate limiting provided by
> responses-per-second, errors-per-second, and nxdomains-per-second
> on a DNS server is often invisible to the victim of a DNS reflection
> attack. Unless the forged requests of the attack are the same as
> the legitimate requests of the victim, the victim's requests are
> not affected. A all-per-second limit must be at least 4 times as
> large as the other limits, because single DNS clients often send
> bursts of legitimate requests. For example, the receipt of a single
> mail message can prompt requests from an SMTP server for NS, PTR,
> A, and AAAA records as the incoming SMTP/TCP/IP connection is
> considered. The SMTP server can need additional NS, A, AAAA, MX,
> TXT, and SPF records as it considers the STMP Mail From command.
>
>
> paul and vernon
>
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
More information about the ratelimits
mailing list