[dns-operations] DNS RRL light?

Mohamed Lrhazi ml623 at georgetown.edu
Mon Sep 17 15:30:34 UTC 2012


On Sat, Sep 15, 2012 at 6:52 PM, Mohamed Lrhazi <ml623 at georgetown.edu> wrote:
>
> https://gist.github.com/3729931

I updated the script to hash, and hence count and rate limit, the
errors and responses, instead of the qname+qtype.

The way am doing it is :
- If response rcode is not NOERROR, hash and count the rcode itself.
- else, concat all response RRs, and hash and count that instead.

Is that good enough? also, with BIND RRL slip functionality aside, how
close is this script to the real deal?

Also, one could say that by enabling RRL, we are adding a weaknesses
to the system:
- Attack using large number of unique queries and unique source IPs,
aiming at exhausting our RAM...

Is that a valid criticism? Does BIND RRL mitigate that? Should one add
logic to disable the whole RRL after reaching some QPS threshold?

Thanks a lot,
Mohamed.



More information about the dns-operations mailing list