[dns-operations] Does residential ISPs do rate limit on their local resolvers?

Paul Vixie paul at redbarn.org
Sat Oct 22 16:27:48 UTC 2016

Robert Martin-Legene wrote:
> I think RRL does not really work so well in this case. It would force
> the client to TCP. But then on TCP the client could ask for any random
> string from a victim-zone. A string that the resolver would try to resolve.

i think you should build a test network out of a bunch of VM's and find
out what difference RRL makes in practice against an attack like this.
the urban legend of "would force the client to TCP" isn't supported by
theory and likely won't be supported by practice, either. RRL has three
things it can do when it decides that a query is a duplicate. only one
involves TC=1. the combination of all three yields systemic attenuation.

> RRL mostly saves us from spoofed sender addresses.

well, yes, and that's what it was designed for. but since DNS RRL is
targeted at authority servers, it presumes that the asker has a cache.
if the asker behaves as if they don't have a cache, they will get worse
service. to the extent that these clients aim their questions at
authority servers, they'll be stopped directly. to the extent that they
aim their queries at their own RDNS servers, the NXDOMAIN limits will
kick in and the responses will be stopped indirectly.

yes, this will injure the service received by those RDNS servers from
the RRL-using authorities for the zones where the random subdomains are.
and yes, this will injure the TCP capacity of the RRL-using authorities.
this is after all an attack, and there will be injuries. and if the UDP
query volume is high enough to congest the upstream links leading to an
authority server, then no logic, RRL or otherwise, will prevent the
attack from succeeding.

the goal is to attenuate, and that goal is met by DNS RRL in this case.

P Vixie

More information about the dns-operations mailing list