query dropping vs. returning nxdomain
brad at stop.mail-abuse.org
Tue Mar 7 16:53:39 UTC 2006
At 2:12 AM +1000 2006-03-08, Geert Jan de Groot wrote:
> Secondly, I think that the vast majority of nameservers don't have
> a high packet rate and hence would continue to work with these
> rate-limiters in place by default.
On a pretty low-end machine, you can see upwards of 5000 queries
per second being received and answered by BIND-8, although BIND-9
would currently require a little more horsepower. Most any machine
you can buy new these days should be able to handle at least
thousands of queries per second, without breaking a sweat.
And then there are high-performance nameservers that can really
sing, including freely available ones like NSD.
You can see my own results at
<http://www.shub-internet.org/brad/papers/dnscomparison/>, but keep
in mind that the principal server being tested was a Compaq laptop
with very little memory and was already well over five or six years
out-of-date at the time I was testing it.
That said, I do like the rate-limiting compromise, but I would
want to make sure that this doesn't open any new vulnerabilities, at
least not any that are easily provoked.
For example, if you do the rate limiting then you've got to track
senders over the long-term by IP address and know when the last time
it was you sent them a rate-limited response (so that you can know
when you can send the next one). Attackers could exploit this by
spoofing large numbers of bogus senders and trying to blow up your
lookup table, regardless of how it's implemented.
> The ones that have a higher load that would trigger the rate-limiter
> are hopefully ran by propellorheads with clue, and at least they would
> need clue to change the rate limiter.
Agreed. Well, mostly -- If we do rate limiting, let's make sure
that we wave lots of red flags all over the place so that people
would have to work pretty hard to be unaware that there's a rate
limiter in place by default.
You'd be amazed at the number of people I encounter that are
supposedly fairly clueful but who make all sorts of simple mistakes
-- like leaving a default turned on that they should have known that
they would want to disable for their systems.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the bind-workers