[ratelimits] rate limiting recursive server

Vernon Schryver vjs at rhyolite.com
Tue Apr 16 21:38:41 UTC 2013

> From: "Patrick W. Gilmore" <patrick at ianai.net>

> We have a recursive server we need to leave open for diagnostic =
> purposes. It is running BIND. Is there a way to limit it to a few qps so =
> it cannot be used (effectively) as an amplifier?

The BIND RRL code does not care or even notice whether it is used on
recursive or authoritative servers.  Only users care, perhaps including
users running HTTP clients (browsers) or SMTP servers (mail receivers)
might notice.  RRL can slow applications as they retry repeated requests
for domain names in <IMG> and <SCRIPT> tags or for DNSBL records SMTP
client IP addresses or URLs in mail bodies.

If you don't have the fancy rate limiting and other defenses used
by those in the commercial recursive server business
(e.g. https://developers.google.com/speed/public-dns/docs/security#rate_limit )
then the best thing to do with an open recursive DNS server is to close it.
If you can't close it, then RRL is a reasonable second choice.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list