[ratelimits] rate-limiting enabled by default for CH class?
Evan Hunt
each at isc.org
Thu Jun 6 18:33:28 UTC 2013
> It seems that rate-limiting is enabled by default for the CH class.
To be specific, it's enabled for the _bind view, containing the zones
authors.bind, version.bind, hostname.bind and id.server.
> Is that intentional?
Yes.
> I don't see any documentation to that effect. If so, is
> there a way to disable it completely? Say, something like:
> rate-limit { no; };
You can create your own copy of the _bind view in named.conf, setting
whatever options you like; it will override the defaults. I don't
understand why you'd want to do that, though.
view _bind chaos {
recursion no;
notify no;
allow-new-zones no;
# Prevent use of this zone in DNS amplified reflection DoS
# attacks
rate-limit {
responses-per-second 3;
slip 0;
min-table-size 10;
};
zone "version.bind" chaos {
type master;
database "_builtin version";
};
zone "hostname.bind" chaos {
type master;
database "_builtin hostname";
};
zone "authors.bind" chaos {
type master;
database "_builtin authors";
};
zone "id.server" chaos {
type master;
database "_builtin id";
};
};
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the ratelimits
mailing list