[dns-operations] DNS RRL light?
Vernon Schryver
vjs at rhyolite.com
Mon Sep 17 16:06:31 UTC 2012
> From: Mohamed Lrhazi <ml623 at georgetown.edu>
> ...
> Also, one could say that by enabling RRL, we are adding a weaknesses
> to the system:
> - Attack using large number of unique queries and unique source IPs,
> aiming at exhausting our RAM...
>
> Is that a valid criticism? Does BIND RRL mitigate that? Should one add
> logic to disable the whole RRL after reaching some QPS threshold?
I think that code must handle error conditions that can be anticipated
and handled. The BIND RRL patch tries to handle state table size
problems by:
- having minimum size to reduce cold-start issues,
- having maximum size to avoid crashing under very high load,
- always reusing the least recently used state table entry even when
the window for that entry has not expired.
I suspect discussions like this should be on the DNS Response Rate
Limits mailing list and not here. If so, please see
http://lists.redbarn.org/mailman/listinfo/ratelimits
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list