[dns-operations] DNS RRL light?
vjs at rhyolite.com
Mon Sep 17 16:06:31 UTC 2012
> From: Mohamed Lrhazi <ml623 at georgetown.edu>
> Also, one could say that by enabling RRL, we are adding a weaknesses
> to the system:
> - Attack using large number of unique queries and unique source IPs,
> aiming at exhausting our RAM...
> Is that a valid criticism? Does BIND RRL mitigate that? Should one add
> logic to disable the whole RRL after reaching some QPS threshold?
I think that code must handle error conditions that can be anticipated
and handled. The BIND RRL patch tries to handle state table size
- having minimum size to reduce cold-start issues,
- having maximum size to avoid crashing under very high load,
- always reusing the least recently used state table entry even when
the window for that entry has not expired.
I suspect discussions like this should be on the DNS Response Rate
Limits mailing list and not here. If so, please see
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations