[ratelimits] defaults for DNS-RRL

Tony Finch dot at dotat.at
Thu Mar 7 09:51:57 UTC 2013

Daniel Stirnimann <stirnima at switch.ch> wrote:
> I wonder what default settings other operators are using who have
> DNS RRL applied.

I'm using responses-per-second 2 on my small server, mainly to see how
aggressive I can get without causing problems. At this level it does
sometimes reject legit queries from name server clusters. Other settings
are the defaults.

>   // start rate-limiting if more then X identical
>   // responses per second, default 5
>   responses-per-second 20;

The default is 0, i.e. unlimited.

>   // as current attack pattern produce rcode NOERROR we relax
>   // rate-limiting for other response rcodes, default 5
>   nxdomains-per-second 30;
>   errors-per-second 30;

These default to the same as responses-per-second.

>   // set to max. of normal query load x WINDOW
>   min-table-size 15000;
>   // set to max.  of query load the server can handle x WINDOW
>   max-table-size 1000000;

The documentation suggests that the table size should be about
the query rate per second, not per window.

> It seems to me, that especially the default response-per-second
> rate-limit of 5 is quite low or in other words very strict and it
> potentially rate-limits clients which do not cause any problems.

Yes. The documentation suggests 10 is reasonable.

> In my experience it will already rate-limit monitoring clients.

Shouldn't they be using a recursive server, rather than querying the
authority directly?

My server routinely sin-bins our Nessus scanner which I think is perfectly
fair given the kind of junk Nessus throws at it.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the ratelimits mailing list