Maintained by: NLnet Labs

[Unbound-users] unbound rate limiting

Thilo Bangert
Thu Apr 4 13:49:13 CEST 2013


On Saturday, March 30, 2013 12:24:22 AM Rok Potočnik wrote:
> On 29.3.2013 23:41, Phil Pennock wrote:
> > That's a feature for authoritative DNS service.  Myself, I highly
> > recommend and endorse those rate-limits for authoritative servers: in
> > particular, their patch for bind works really well.
> > 
> > Unbound is a _resolver_.  It does not provide authoritative service
> > except as a local_data hack for splicing data in.  The rate limit
> > concepts as defined on that page simply don't apply to Unbound.
> > 
> > You should not be providing recursive DNS service that's open to the
> > Internet.
> > 
> > See the "access-control:" directive.
> > 
> > If you're only providing recursive DNS service to your own customers,
> > then you can block packets with a source IP that claims to be your
> > customers at your border routers, so the spoofed traffic is blocked
> > before it even reaches your DNS servers.
> > 
> > What is your setup, that you need to have recursive service offered to
> > third-party networks, and what issues are you trying to solve?
> > 
> > -Phil
> 
> I know rate limiting was intended for authoritative servers but due to
> last weeks DDoS attacks towards Spamhaus I'd like to limit the rate of
> our users' queries (ISP, couple of /16 subnets).
> 
> Don't get me wrong - the servers are working as they should and are
> resolving records *just* for our supernets; but quite a few of the
> subscribers have an open resolver on their hands and are using our
> resolver as a forwarder. Just take a look of the attached picture of one
> of the few resolvers statistics.

bind has the dampening patch for these purposes, i believe. dont know how 
it behaves in practice, but have heard good about it.

http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope