[ratelimits] rate limiting recursive server

Bob Harold rharolde at umich.edu
Fri May 10 17:26:14 UTC 2013

While I agree that request limiting should be done ahead of the DNS server
if possible, in the particular case where one wants to limit the rate at
which a given client can cause the DNS server to do recursion, which is
only decided after the local cache is checked, it cannot be done outside of
the DNS server.  I am not sure if I would use that particular limit, but
someone might.

Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharolde at umich.edu
734-647-6524 desk

On Fri, May 10, 2013 at 1:15 PM, Paul Vixie <paul at redbarn.org> wrote:

> ...
> Vernon Schryver wrote:
> > Bob Harold and I have talked in private, and he suggested that our
> > conclusions belong in the mailing list.
> >
> > An open issue is mentioned at the end.
> > ...
> > } The current code considers rate limiting each request only once.
> > } That makes sense for an autoritative server, but might be a bug
> > } on a recursive server.  Perhaps a recursive server should count
> > } a request once if it provokes one or more recursive requests and
> > } a separately, a second time when it produces a response.
> > } I need to think about it and talk to others.
> >
> > Opinions about that last paragraph are needed.
> ideally it would only be counted at response time, no matter how much
> upstream iteration was provoked. anything we do at query reception time
> before upstream iteration occurs would at best "request rate limiting"
> which this is not. request rate limiting is best done upstream, in a
> firewall or IPS box, and need not be dns-aware in order to be fully safe
> and fully effective. the goal of request rate limiting would be to
> protect the responding name server's "transaction thread pool" or cpu,
> whereas the goal of response rate limiting is to protect distant victims
> of spoofed-source reflective attacks.
> paul
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130510/b31fd136/attachment-0001.htm>

More information about the ratelimits mailing list