[dns-operations] DNS ANY requests from Amazon?

[Vernon Schryver]

> It's starting to look like per-client-IP rate-limiting features
> are necessary...

> There is a patch available for rate-limiting inside BIND.

There is also RRL code for NSD.

Please note that the main thrust of the BIND and NSD rate limiting
code is response rate limiting (RRL) and *NOT* per-client IP address
rate limiting.  Per-client rate limiting is generally the best that
can be done with simple firewall rules or access control lists, but
has limitations and can cause harm.  While rate limiting by client IP
address stops a reflection attack, it also turns off almost all DNS
service to the client from the server.  Temporarily denying name service
to a target has long been a major part of more serious security problems
than denials of service.  For example, if you need to fool your target
about the IP address of www.example.com, it's handy to have the several
seconds of a full set of DNS client timeouts to try many DNS transaction
IDs instead only the milliseconds before the real answer arrives.

With RRL (especially with the "slip" feature), the victim of a reflection
attack often sees no change in DNS services from the rate limiting
server during a reflection attack.  With client IP address rate limiting,
the server stops answering practically all requests from the victim.

The current version the BIND RRL patch does have support for
per-client rate limiting, but it exists only to satisfy popular
demand.  Its use is a bad idea in most cases.


I've said something like this before but I keep seeing claims that
BIND rate limiting is harmful or bad based on the mistaken notion that
it limits requests by IP addresses instead of limiting responses by
{IP,qname,qtype}.

The other common claim about RRL is that it is too expensive.  Never
mind that much bigger servers are using RRL than the servers run by
people expressing that concern.


Vernon Schryver    vjs at rhyolite.com