[dns-operations] DNS RRL light?

Mohamed Lrhazi ml623 at georgetown.edu
Fri Sep 14 12:59:32 UTC 2012


For various reasons, I cannot immediately implement RRL on my DNS
servers... but would like to implement something, in the meanwhile!

Would these two rules be a good start?

- Rate limit clients to 100 qps. Drop for 5 mins if exceeded.
- Rate limit client to 5 identical queries per second. Drop for 5 mins
if exceeded.

I implemented these rules already, logging drops instead of performing
them, and it does not seem to be dropping any legit clients, and does
seem to catch the obvious ANY flood I have been watching... but am
sure there is more to it than meets the eye.

Any logical errors, or other errors, you see there? Also, any, simple
to implement, enhancements you could add?

Thank you so much.

More information about the dns-operations mailing list