DNS security, amplification attacks and recursion

@lbutlr kremels at kreme.com
Tue Jul 7 17:28:18 UTC 2020

On 07 Jul 2020, at 08:06, Tony Finch <dot at dotat.at> wrote:

Excellent post, and a nice summary of some best practices.

I have a couple of questions.

> Response rate limiting is very effective. Start off by putting the
> following in your options{} section, and look in the BIND ARM for other
> directives you can put in the rate-limit{} section.
> 	rate-limit { responses-per-second 10; };

Does that apply to local queries as well (for example, a mail server may easily make a whole lot of queries to, and rate limiting it would at the very least affect logging and could delay mail if the MTA cannot verify DNS.

Do these setting also need to be applied to the secondary servers?

What's another word for Thesaurus?

More information about the bind-users mailing list