[dns-operations] DNS RRL light?

Vernon Schryver vjs at rhyolite.com
Fri Sep 14 22:37:15 UTC 2012

> - Rate limit clients to 100 qps. Drop for 5 mins if exceeded.
> - Rate limit client to 5 identical queries per second. Drop for 5 mins
> if exceeded.

> Any logical errors, or other errors, you see there? Also, any, simple
> to implement, enhancements you could add?

The first rule is to do whatever works in your situation no matter
what outsiders say.

Are you counting identical queries including qtype as well as qname?

Are you dropping identical queries or all queries?

Counting all queries might not work on a server for a popular domain,
because there can be a lot of legitimte queries from a single carrier
grade NAT IP address.  Even counting 5 identical queries or responses
might cause problems for a sufficiently popular web site.

Counting identical queries instead identical responses might let a
bad guy reflect a stream of 1500+ Byte NXDOMAIN responses using
a stream of queries for unique bogus domains.

Blocking at 5 identical queries per second sounds reasonable to me,
but blocking for 5 minutes sounds far too long, because it might
unnessarily drop legitimate queries.  A 5 minute window means that
on average it will be closed 2.5 minutes after the attack stops.
If your scheme can react to the first 5 identical queries in a
second, why not block for only 10 or 15 seconds?

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list