[dns-operations] DNS ANY requests from Amazon?

Paul Vixie paul at redbarn.org
Mon Dec 17 20:17:18 UTC 2012

On 2012-12-17 7:57 PM, Patrick, Robert (CONTR) wrote:
> ...
> Where some customers haven't implemented rate-limiting within BIND, mitigation is available at the O/S and network layer.  As an example, there are connection limits that can be enforced with iptables on Linux.  Per-source-IP connection limits can also be restricted on Cisco ASA firewalls (and likely other vendor products).

such rate limits are too coarse-grained for dns authority service. if
you limit your request flows rather than your response flows, then your
only choice is: too low, where a legitimate client asking a legitimately
diverse set of questions, does not get reliable service; or, too high,
where an attacker can get enough of your bandwidth directed at a victim
to be damaging.

OS-level rate limiting also lacks the ability to insert TC=1 responses
on a statistical basis, thus transforming rate limiting into transaction
delay rather than transaction loss.

to make this work without breaking things, the rate limiting logic has
to be within the server itself, and it has to be applied to responses
not requests.

> There is a patch available for rate-limiting inside BIND.

see http://www.redbarn.org/dns/ratelimits for background, including
patches (which are not currently supported by ISC) and a technical note
(which looks a bit like an RFC that some day i hope RRL will deserve.)


More information about the dns-operations mailing list