[ratelimits] Knot DNS 1.2.0-rc3 release

Marek Vavruša marek.vavrusa at nic.cz
Fri Mar 1 16:54:29 UTC 2013

Hi everyone,

I'm happy to announce that the 3rd and hopefully final release
candidate of Knot DNS 1.2.0 is out!
This one not only brings a few bugfixes, but also a new feature.
The hot topic of the day - Response Rate Limiting, based on the work
of Vernon Schryver and Paul Vixie
If you're not familiar with the topic, it is a way to combat DNS
amplification and reflection attacks.
General idea is to identify flows in outgoing responses and block
responses exceeding the rate limit.
To get at least some degree of service for victims a mechanism called
SLIP is used, causing each Nth blocked response to
be sent as truncated, thus enabling legitimate requests to reconnect over TCP.

You can enable rate limiting by setting option "rate-limit" to a value
greater than 0, for example:
system {
  rate-limit 100;

For more about rate limiting knobs, refer to the documentation or a
sample configuration.
Any feedback is more than welcome before it lands in the final version!

As usual, you can find a full list of changes at

Sources: https://secure.nic.cz/files/knot-dns/knot-1.2.0-rc3.tar.gz
GPG signature: https://secure.nic.cz/files/knot-dns/knot-1.2.0-rc3.tar.gz.asc

Packages available at www.knot-dns.cz will be updated soon as well.

Have a nice weekend,
Marek Vavruša Knot DNS
CZ.NIC Labs http://www.knot-dns.cz
Americká 23, 120 00 Praha 2, Czech Republic
WWW: http://labs.nic.cz http://www.nic.cz

More information about the ratelimits mailing list