DNS security, amplification attacks and recursion

Tony Finch dot at dotat.at
Tue Jul 7 17:58:35 UTC 2020

@lbutlr <kremels at kreme.com> wrote:
> > 	rate-limit { responses-per-second 10; };
> Does that apply to local queries as well (for example, a mail server may
> easily make a whole lot of queries to, and rate limiting it
> would at the very least affect logging and could delay mail if the MTA
> cannot verify DNS.

I don't recommend using response rate limiting on recursive servers.

The principle behind RRL is that auth servers are queried by resolvers
with caches, and a correctly-functioning cache will not repeat the same
query very frequently, so it is reasonable to apply a rate limit on the
auth servers.

Recursive servers, on the other hand, are often queried by stub resolvers
without caches. The query rate is then entirely driven by the application
workload, and you can't apply a rate limit on the recursive server without
causing serious trouble for the application.

It can be especially bad because traditional cacheless stub resolvers are
not good at error recovery, and when RRL hits, their retry strategy is
likely to increase the query rate observed by the server, making things

If you are running an oldskool multi-purpose server that is recursive for
its own daemons but authoritative for others, then you can use the
`rate-limit { exempt-clients }` option so that RRL doesn't apply to
recursive clients. But I wouldn't recommend a setup like this. (My auth
servers have their /etc/resolv.conf pointing at my recursive service.)

> Do these setting also need to be applied to the secondary servers?

The settings I described are for public authoritative servers, i.e ones
that appear in NS records. These servers can be primary or secondary (but
are usually secondary).

Secondary servers don't necessarily appear in NS records, and if they
don't they are less likely to be exposed to this kind of attack.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Southeast Iceland: Westerly or southwesterly, 3 to 5, becoming variable 3 or
less later in north. Moderate. Showers. Good.

More information about the bind-users mailing list