[ratelimits] rate limiting recursive server

Jared Mauch jared at puck.nether.net
Wed May 8 22:24:08 UTC 2013 

On Apr 18, 2013, at 6:34 AM, Patrick W. Gilmore <patrick at ianai.net> wrote:

> It is only (supposed to be) used by users during diagnostics. I.e. "I can't get to $AKAMAIZED_SITE", "Please click on $URL <that does a lookup against NS among other things>".
> 
> As a result, load is low by most standards, but has to be wide open since users anywhere can have issues.

They may see issues if you are limiting to 1qps, unless you do some hash of 1qps per IP.  For this use case, you could always just set TC=1 as well IMHO.  That would keep you from being an amp.

>>  It might be nice if the Open DNS Resolver Project could distinguish
>>   open resolvers that are useful for current reflection attacks
>>   from those that are rate limited.  On the other hand, that might
>>   be too useful to the bad guys.
> 
> Feature request!
> 
> Is Jared on this list?

So, there are various statistics available, I'm not sure how to collect that information without potentially abusing these end-hosts to fingerprint their behavior.

What I think many of us have noticed is (upon reviewing the detailed stats http://openresolverproject.org/breakdown.html )

32959644 servers responded to udp/53 probe
15299674 responded from a source port other than udp/53

Or, 46.4% of the IPs in the list are *really* broken in some way, eg: some NAT/CPE device that otherwise replies with something "odd".  If there is a collaborator, perhaps I can go out there and take the list and fingerprint the ones that *do* reply with a version.bind query and provide further derivative data about their behavior.  Ideally this would be someone wanting to study DNS as part of their PhD.  Otherwise, maybe I'll have to just find some professor that will let me just do a dissertation under their guidance and do it myself.

FYI: There are many android devices that when configured to tether become open resolvers(!).  This is a very interesting dataset if you start pulling at these threads.  There are also those servers that responded and gave the wrong answer as well.  If you are in Dublin Sunday/Monday you should be at DNS-OARC with me where I will be sharing some of this data.

- jared

More information about the ratelimits mailing list