Maintained by: NLnet Labs

[Unbound-users] unbound rate limiting

Rok Potočnik
Sat Mar 30 00:24:22 CET 2013


On 29.3.2013 23:41, Phil Pennock wrote:
> That's a feature for authoritative DNS service.  Myself, I highly
> recommend and endorse those rate-limits for authoritative servers: in
> particular, their patch for bind works really well.
>
> Unbound is a _resolver_.  It does not provide authoritative service
> except as a local_data hack for splicing data in.  The rate limit
> concepts as defined on that page simply don't apply to Unbound.
>
> You should not be providing recursive DNS service that's open to the
> Internet.
>
> See the "access-control:" directive.
>
> If you're only providing recursive DNS service to your own customers,
> then you can block packets with a source IP that claims to be your
> customers at your border routers, so the spoofed traffic is blocked
> before it even reaches your DNS servers.
>
> What is your setup, that you need to have recursive service offered to
> third-party networks, and what issues are you trying to solve?
>
> -Phil

I know rate limiting was intended for authoritative servers but due to 
last weeks DDoS attacks towards Spamhaus I'd like to limit the rate of 
our users' queries (ISP, couple of /16 subnets).

Don't get me wrong - the servers are working as they should and are 
resolving records *just* for our supernets; but quite a few of the 
subscribers have an open resolver on their hands and are using our 
resolver as a forwarder. Just take a look of the attached picture of one 
of the few resolvers statistics.

-- 
BR, Rok
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound_qps.png
Type: image/png
Size: 68314 bytes
Desc: not available
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130330/4873710b/attachment-0001.png>