[ratelimits] defaults for DNS-RRL

Daniel Stirnimann stirnima at switch.ch
Thu Mar 7 08:10:18 UTC 2013


I wonder what default settings other operators are using who have
DNS RRL applied. Below are the settings I'm currently using.

// use DNS Response Rate Limiting (DNS RRL)
rate-limit {
  // start rate-limiting if more then X identical
  // responses per second, default 5
  responses-per-second 20;
  // as current attack pattern produce rcode NOERROR we relax
  // rate-limiting for other response rcodes, default 5
  nxdomains-per-second 30;
  errors-per-second 30;
  // credit/penalty WINDOW, default 15
  window 10;
  // send TC for every X-th rate-limited response, default 2
  slip 3;
  // set to max. of normal query load x WINDOW
  min-table-size 15000;
  // set to max.  of query load the server can handle x WINDOW
  max-table-size 1000000;
  // do not rate-limit own clients/monitoring system
  exempt-clients  { ACLXYZ; };

It seems to me, that especially the default response-per-second
rate-limit of 5 is quite low or in other words very strict and it
potentially rate-limits clients which do not cause any problems. In my
experience it will already rate-limit monitoring clients.

I have attached two pictures of an authoritative name-server which is
currently not being abused by a DNS amplification attack. It shows that
rate-limiting is mostly not being applied.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-statistics-dns-rrl.png
Type: image/png
Size: 14614 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130307/213928ab/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-statistics-querytype.png
Type: image/png
Size: 26211 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130307/213928ab/attachment-0003.png>

More information about the ratelimits mailing list