[dns-operations] Does residential ISPs do rate limit on their local resolvers?

Paul Vixie paul at redbarn.org
Sat Oct 22 16:00:55 UTC 2016

Xun Fan wrote:
> ...
> In addition, [Mirai] can also cause damage on the authoritative name servers
> if the attack is targeting a specific domain.

that attack mode is why DNS RRL uses the closest enclosing SOA RR as its
NXDOMAIN bucket-holder. that is, random subdomain attacks are counted
(and NXDOMAIN-limited) per zone-cut not per-qname.

> So just out of curiosity, is it prevailing that the residential ISPs do
> rate limit on their local resolvers (per source preferably) ?
> Public DNS resolvers seem to do that, i.e., but it will be
> helpful if ISPs do it too.

rate-limiting a recursive is made difficult by the fact that stubs
mostly do not cache, and it's actually quite reasonable for a stub to
ask the exact same question a hundred times per second. and if you allow
that, then you're not going to make yourself useless enough to attackers.

this is why DNS RRL focuses all of its energies on the authoritatives.
DNS RRL is free, it's ubiquitous, but it's not yet the default. for more
information, consult the web site below.


P Vixie

More information about the dns-operations mailing list