Home

Response Rate Limiting in the Domain Name System (DNS RRL)

This page describes DNS Response Rate Limiting (DNS RRL) which is an advanced pre-standard feature for domain name servers including CZ-NIC Knot DNS, NLNetLabs NSD, and ISC BIND9.

These patches and instructions pertain to authority name servers or authoritative views. Use of this kind of rate limiting for recursive or hybrid servers or views is currently unspecified.

Note Well:This is DNS RRL, meant to be implemented in many different name servers, it is not a BIND specific feature even though BIND was the first name server for which DNS RRL was implemented. DNS RRL will eventually be submitted to the IETF for standardization work. The need for DNS RRL is immediate and pressing, and the IETF processing of this work was therefore planned to come last rather than first.

References:

  • Patches to current BIND9 to fix bugs in RRL
  • Debian ships a BIND9 9.8.4 package containing RRL
  • ISC BIND9 9.10 release notes
  • Nominum has tunable rate limiting as of Vantio TMCacheServe 5.4
  • Red Hat Enterprise Linux update for RRL in BIND
  • Release notes for CZ-NIC Knot DNS, available as a standard Knot feature as of Version 1.2-RC3, released 2013-03-01
  • Implementation notes for NLNetLabs NSD, available as a standard NSD feature as of version 3.2.15, released 2013-02-04
  • Technical note describing the implementation and operation of DNS Response Rate Limiting (RRL).
  • Blog post On the Time Value of Security Features in DNS
  • ACM Queue article Rate Limiting State

Instructions for BIND9:

  • Install the patched BIND9 server (BIND9 9.10 or later)
  • Read the above-linked technical note to familiarize yourself with the technology
  • Add something like this to your options block in your authoritative-only views:
        
rate-limit {
    responses-per-second 15;
    window 5;
};
  • Restart your name server and verify that it is operating normally
  • Test the rate limiting using a command similar to the one below: 

    repeat 10 dig @server-ip-address +short +tries=1 +time=1 your-zone.com a

    The result should be at least one timeout out of the ten successive answers.

Beyond that:

Please consider joining the ratelimits mailing list in order to join discussions about this technology. Especially interesting are stories of what worked and what did not work.

Credits:

This work is a joint effort by Vernon Schryver and Paul Vixie.

  • By vixie at 2012-06-10 23:39
  • bind
  • dns
  • nsd
  • ratelimits
  • rpz
  • 117855 reads
Related searches:
limiting server feature standard response
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.