[dns-operations] NSD 3.2.15 with RRL released

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Feb 4 14:50:58 UTC 2013


Dear colleagues,

[This mail is cross posted to a few relevant mailing lists, apologies
for duplicates]

Since DDOS through DNS amplification has been a hot topic on this list I
would like to make you aware that we now have a production release of
NSD that contains Response Rate Limiting (RRL): NSD 3.2.15, available
through http://www.nlnetlabs.nl/projects/nsd/.

The implementation is based on the work by Vixie and Schryver. However,
because of the code-diversity argument that is at the basis of NSD work
but also because of specifics of the NSD architecture, it is an
independent implementation.

The implementation shares the main ideas that prevent false positives:
the fallback to TCP and a fine grained (albeit different) query
classification mechanism. See
https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ for some of the
details.

RRL is not enabled by default. Although we are confident about code
stability, did extensive testing, and a performed a usual beta-release
cycle which gave the code exposure, the methodology is rather new and
there is relatively little operational experience. You can enable RRL
with the build option '--enable-ratelimit':

    $ ./configure --enable-ratelimit

We advice prudent monitoring. Within NSD one can monitor RRL being
turned on or off for specific query patterns when verbosity set to level
2 or higher.

We welcome NSD specific feedback and experience on the nsd-users
list[1]. For discussion about rate limiting in general the ratelimits
list[2] hosted by Paul Vixie is probably the better one.


Kind regards,

Matthijs Mekking
NLnet Labs


[1] http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
[2] http://lists.redbarn.org/mailman/listinfo/ratelimits


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130204/76879523/attachment.sig>


More information about the dns-operations mailing list