[dns-operations] Does residential ISPs do rate limit on their local resolvers?

Paul Vixie paul at redbarn.org
Mon Oct 24 22:32:44 UTC 2016

Florian Weimer wrote:
> What happens to the recursor with typical RRL deployments on the server
> side?

"recursor" is a marketing term used by PowerDNS. i think you mean RDNS
server or full resolver, so i'll answer as if you'd said that.

what happens to an RDNS server or full resolver who asks a question at
the same time an attack is occurring, or whose questions are mistaken as
an attack, is that for positive answers they will get goodput often
enough to fill their cache such that they will stop asking, and that for
negative answers the work queue in the RDNS server will suffer, and the
work done by its stub clients will also suffer.

since very few stub clients are part of applications whose working speed
is determined by the speedy availability of negative answers, this is
the least-bad tradeoff i know of.

> Is the goal to take out the recursor as completely as possible, so that
> its operator is forced to disconnect the client that is spewing garbage
> queries?

if by "recursor" you mean RDNS server: no. although the stubs will
suffer automatically with ISC BIND9's new recursive client rate limiting.

> I could imagine under a huge tough attack, the authoritative
> operator may want to "take out the recursor as completely as
> possible" if the recursor is "spewing garbage queries".

if by "recursor" you mean RDNS server, that's not what RRL does. an
operator would have to use other tools (ACL) to get that result.

> But the motivation behind that is they want to serve the other
> recursors that carries no attack queries. If they don't do this, they
> may end up with taking out all recursors almost completely and no
> users can be served at all...

those are not RRL questions, so i'll demure.

P Vixie

More information about the dns-operations mailing list