[ratelimits] rate limiting recursive server
Paul Vixie
paul at redbarn.org
Fri May 10 17:15:06 UTC 2013
...
Vernon Schryver wrote:
> Bob Harold and I have talked in private, and he suggested that our
> conclusions belong in the mailing list.
>
> An open issue is mentioned at the end.
> ...
> } The current code considers rate limiting each request only once.
> } That makes sense for an autoritative server, but might be a bug
> } on a recursive server. Perhaps a recursive server should count
> } a request once if it provokes one or more recursive requests and
> } a separately, a second time when it produces a response.
> } I need to think about it and talk to others.
>
> Opinions about that last paragraph are needed.
ideally it would only be counted at response time, no matter how much
upstream iteration was provoked. anything we do at query reception time
before upstream iteration occurs would at best "request rate limiting"
which this is not. request rate limiting is best done upstream, in a
firewall or IPS box, and need not be dns-aware in order to be fully safe
and fully effective. the goal of request rate limiting would be to
protect the responding name server's "transaction thread pool" or cpu,
whereas the goal of response rate limiting is to protect distant victims
of spoofed-source reflective attacks.
paul
More information about the ratelimits
mailing list