Maintained by: NLnet Labs

[Unbound-users] unbound rate limiting

Phil Pennock
Fri Mar 29 23:41:48 CET 2013


On 2013-03-29 at 22:26 +0100, Rok Potočnik wrote:
> Can we expect unbound query rate liming 
> (http://www.redbarn.org/dns/ratelimits) per client/source in future 
> releases?

That's a feature for authoritative DNS service.  Myself, I highly
recommend and endorse those rate-limits for authoritative servers: in
particular, their patch for bind works really well.

Unbound is a _resolver_.  It does not provide authoritative service
except as a local_data hack for splicing data in.  The rate limit
concepts as defined on that page simply don't apply to Unbound.

You should not be providing recursive DNS service that's open to the
Internet.

See the "access-control:" directive.

If you're only providing recursive DNS service to your own customers,
then you can block packets with a source IP that claims to be your
customers at your border routers, so the spoofed traffic is blocked
before it even reaches your DNS servers.

What is your setup, that you need to have recursive service offered to
third-party networks, and what issues are you trying to solve?

-Phil