[ratelimits] CH/TXT/id.server queries rate-limited

Jay Daley jay at nzrs.net.nz
Fri Oct 26 21:13:32 UTC 2012

On 27/10/2012, at 9:55 AM, Jay Daley <jay at nzrs.net.nz> wrote:

>> On the contrary, that would increase the number of records by a factor
>> of 5 (1 second vesus 5 seconds).  Unlike rate limiting IP packets
>> and HTTP client IP addresses, at timescales shorter than DNS TTLs,
>> DNS (IP,qname,qtype) streams are almost all single, unique respons/requests.
>> They are not streams.  A DNS response rate limiter needs about as many
>> buckets as window*qps.  In my code, practically all buckets are discarded
>> or recycled after 1 second.  Your code would need to keep all buckets
>> for 5 seconds before discard almost all of them with final counts of 1.
> Ah, understood.

Sorry I got confused.  I was not suggesting an independent second bucket, which would require the fivefold (or whatever window size is) increase but a second limit that is imposed when a rate limit has kicked in and the window penalty is now being imposed.  Again, the only intention would be to limit sustained attacks.


Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840
linkedin: www.linkedin.com/in/jaydaley

More information about the ratelimits mailing list