[ratelimits] defaults for DNS-RRL
Daniel Stirnimann
stirnima at switch.ch
Thu Mar 7 08:10:18 UTC 2013
Hi
I wonder what default settings other operators are using who have
DNS RRL applied. Below are the settings I'm currently using.
// use DNS Response Rate Limiting (DNS RRL)
rate-limit {
// start rate-limiting if more then X identical
// responses per second, default 5
responses-per-second 20;
// as current attack pattern produce rcode NOERROR we relax
// rate-limiting for other response rcodes, default 5
nxdomains-per-second 30;
errors-per-second 30;
// credit/penalty WINDOW, default 15
window 10;
// send TC for every X-th rate-limited response, default 2
slip 3;
// set to max. of normal query load x WINDOW
min-table-size 15000;
// set to max. of query load the server can handle x WINDOW
max-table-size 1000000;
// do not rate-limit own clients/monitoring system
exempt-clients { ACLXYZ; };
};
It seems to me, that especially the default response-per-second
rate-limit of 5 is quite low or in other words very strict and it
potentially rate-limits clients which do not cause any problems. In my
experience it will already rate-limit monitoring clients.
I have attached two pictures of an authoritative name-server which is
currently not being abused by a DNS amplification attack. It shows that
rate-limiting is mostly not being applied.
Regards,
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-statistics-dns-rrl.png
Type: image/png
Size: 14614 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130307/213928ab/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-statistics-querytype.png
Type: image/png
Size: 26211 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130307/213928ab/attachment-0003.png>
More information about the ratelimits
mailing list