[dns-operations] DNS RRL light?

Vernon Schryver vjs at rhyolite.com
Mon Sep 17 16:06:31 UTC 2012

> From: Mohamed Lrhazi <ml623 at georgetown.edu>

> ...
> Also, one could say that by enabling RRL, we are adding a weaknesses
> to the system:
> - Attack using large number of unique queries and unique source IPs,
> aiming at exhausting our RAM...
> Is that a valid criticism? Does BIND RRL mitigate that? Should one add
> logic to disable the whole RRL after reaching some QPS threshold?

I think that code must handle error conditions that can be anticipated
and handled.  The BIND RRL patch tries to handle state table size
problems by:
  - having minimum size to reduce cold-start issues,
  - having maximum size to avoid crashing under very high load,
  - always reusing the least recently used state table entry even when
     the window for that entry has not expired.

I suspect discussions like this should be on the DNS Response Rate
Limits mailing list and not here.  If so, please see

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list