[ratelimits] Referrals incorrectly limited.

Vernon Schryver vjs at rhyolite.com
Thu Jan 10 15:29:42 UTC 2013

> From: Gilles Massen <gilles.massen at restena.lu>

> Indeed. For me it is very difficult to accept limitations to anything
> that is not directly harmful. To keep the example of that "research": I
> may not agree with the aims or methods, and I would not intervene to
> make their lives easier, but their traffic is correctly formatted DNS
> traffic, the return traffic goes to the sender, and the volume is not
> causing problems to our server. Therefore I do not want it impacted as
> collateral damage. You might consider it as a commitment to a certain
> form of net neutrality.

As the operator of the absolutely trivial authority servers for
61.188.192.in-addr.arpa, I see that position as similar to the position
of some open SMTP relays about relaying spam.  The as fast as possible,
never ending, endlessly repeated "research" probing of my /24 doesn't
do worse than endlessly trigger RRL on my DNS servers.  I find that
noise in my RRL logs irritating and inconvenient as I eat my own dog
food and watch for RRL bugs.  I assume that the bad guys do enough
caching and retrying that rate limiting referrals by the *.arin.net
servers for 192.in-addr.arpa would not help me, but wire speed
referrals still smell like collaboration with abusers.

> > Are your DNS servers open recursive servers?  

> No open recursive servers. Honoring RD=1 would be a different service,
> clearly announced with RA=1. Our mission however is only the TLD, and
> with RA=0 we don't raise any different expectations.

Any service announcing must happen before the service is requested.
RA=0 is not an announcement but an error code explaning a short or
REFUSED response.  RA=1 in your responses would be no more an announcement
that you would honor RD=1 than the non-existent announcement that your
DNS servers will honor requests at any particular rate.

That you don't give long responses for RD=1 because you respond with
RA=0 doesn't answer the question given your previous statement about
the good of the Internet and so forth.  Why don't you set RA=1 and
answer RD=1 with full answers instead of referrals?  That would provide
a more valuable service to more of the Internet than referrals.  Instead
of sending referrals, you could save your DNS clients (including those
cursed "researchers") significant bandwidth and time by sending them
final answers.

Besides the undoubted answer that open recursives have long been seen
as evil but unrate-limited DNSSEC aware referrers are not yet understood
the same, there is another answer.  If you honored the RD=1 that I
suspect is in those "research" requests, your server would be rate
limited by the authoritive servers.  Depending on how openly evil those
"researchers" are, that would either choke and kill your servers with
recursive contexts or indirectly rate limit the "researchers."

(after turning on rate limit after a complaint about an attack)

> Sincerely: I hope very much I would turn it off. Certainly yes if the
> attacks ceased.

At the referral server you cannot distinguish between a DNS reflection
attack and "research" without talking to the researcher/victim.
Turning on rate limiting after a complaint from a DoS victim and
turning it off when that particular stream stops would inevitiably
subject new victims to at least hours of DoS reflection attack
from your servers.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list