<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Rate limiting depends perhaps a lot on the user scenario, whether:<br>
<br>
<b>(1) </b>the resolver is serving only trusted <b>lan</b> clients
and in which case rate limiting may not be necessary unless
suspecting a client being malicious.<br>
<br>
Read a suggestion somewhere to establish a baseline for DNS queries
from clients that represents the normal/average usage and set the
rate limit in the firewall accordingly.<br>
The firewall rate limit though is per packet and not per DNS
query/response, which could be different due to payload - in
particular if EDNS is added to the mix.<br>
<br>
<blockquote type="cite">If EDNS is supported by both hosts in a DNS
communication, then UDP payloads greater than 512 bytes can be
used. EDNS is a feature that can be leveraged to improve bandwidth
for DNS tunneling</blockquote>
<br>
<b>(2)</b> the resolver is serving untrusted <b>wan</b> clients and
which case establishing a baseline and subsequent reasonable rate
limit might prove difficult.<br>
<br>
(Packet) rate limiting via firewall on its own would seem to be a
rather rudimentary way of protection and some advance firewall
logic/learning would advance the protection level, e.g. maximum
amount of queries from the same client ip for the same TLD/SLD
within the TTL.<br>
<br>
BIND has implemented some Recursive Client Rate Limiting -
<a class="moz-txt-link-freetext" href="https://kb.isc.org/docs/aa-01304">https://kb.isc.org/docs/aa-01304</a>, unfortunately Unbound appears not
providing something of similar functionality.<br>
<div class="moz-signature"><br>
</div>
<div class="moz-cite-prefix">On 23.11.2018 09:41, via Unbound-users
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABPjrMUajVaLMZ72ROruAWu9wVAuWshpSa67EtzJabHrq3CmeQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div style="font-family:sans-serif;font-size:12.8px" dir="auto">Hi,</div>
<div dir="auto" style="font-family:sans-serif;font-size:12.8px">IP-ratelimit
sounds good to me (as risk reduction :) Do you have some
experience with values? Research needs to be done, in order to
choose reasonable limit.</div>
<div dir="auto" style="font-family:sans-serif;font-size:12.8px"><br>
</div>
<div dir="auto" style="font-family:sans-serif;font-size:12.8px">Filtering
by qname lenght might be risky for legitimate traffic, i am
afraid... </div>
<div dir="auto" style="font-family:sans-serif;font-size:12.8px"><br>
</div>
<div dir="auto" style="font-family:sans-serif;font-size:12.8px">BR</div>
<div class="gmail_quote" dir="auto">
<div dir="ltr"><br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>