query dropping vs. returning nxdomain

Brad Knowles brad at stop.mail-abuse.org
Tue Mar 7 16:53:39 UTC 2006 

At 2:12 AM +1000 2006-03-08, Geert Jan de Groot wrote:

>  Secondly, I think that the vast majority of nameservers don't have
>  a high packet rate and hence would continue to work with these
>  rate-limiters in place by default.

	On a pretty low-end machine, you can see upwards of 5000 queries 
per second being received and answered by BIND-8, although BIND-9 
would currently require a little more horsepower.  Most any machine 
you can buy new these days should be able to handle at least 
thousands of queries per second, without breaking a sweat.

	And then there are high-performance nameservers that can really 
sing, including freely available ones like NSD.


	You can see my own results at 
<http://www.shub-internet.org/brad/papers/dnscomparison/>, but keep 
in mind that the principal server being tested was a Compaq laptop 
with very little memory and was already well over five or six years 
out-of-date at the time I was testing it.


	That said, I do like the rate-limiting compromise, but I would 
want to make sure that this doesn't open any new vulnerabilities, at 
least not any that are easily provoked.

	For example, if you do the rate limiting then you've got to track 
senders over the long-term by IP address and know when the last time 
it was you sent them a rate-limited response (so that you can know 
when you can send the next one).  Attackers could exploit this by 
spoofing large numbers of bogus senders and trying to blow up your 
lookup table, regardless of how it's implemented.

>  The ones that have a higher load that would trigger the rate-limiter
>  are hopefully ran by propellorheads with clue, and at least they would
>  need clue to change the rate limiter.

	Agreed.  Well, mostly -- If we do rate limiting, let's make sure 
that we wave lots of red flags all over the place so that people 
would have to work pretty hard to be unaware that there's a rate 
limiter in place by default.

	You'd be amazed at the number of people I encounter that are 
supposedly fairly clueful but who make all sorts of simple mistakes 
-- like leaving a default turned on that they should have known that 
they would want to disable for their systems.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the bind-workers mailing list