[nsd-users] Request Rate Limiting
brett.carr at nominet.uk
Mon Oct 3 08:42:13 UTC 2016
> On 30 Sep 2016, at 21:41, Michael A. Peters <mpeters at domblogger.net> wrote:
> I run 3 authoritative nameservers. I master in Texas, 1 slave in California, 1 slave in London.
> I am small time, maybe a dozen zones. I just really did not like the limitations of DNS management that hosting providers and registrars have, especially wanting me to pay a fee to have DNSSEC yet still have many of the limitations.
> In light of the recent massive DDoS attacks I want to make damn sure that I have RRL properly implemented.
> I do keep up to date with the latest NSD and it is compiled with rate limiting option.
> What is the best way though to test the effectiveness of my rate limiting and determine whether or not it is good enough? Is there by chance a test service similar to ssllabs where I can test the quality of my rate limiting?
> Secondly, has anyone looked at the real world implications of refusing UDP? Especially with DNSSEC it seems TCP is more logical and a lot of DNS requests expecting a large response use TCP anyway.
> Could we eliminate the DDoS threat by just turning off UDP?
> Recursive servers I understand probably have to keep accepting them, but authoritative servers are only intended for recursive servers to query, so would it be safe to just drop port 53 UDP requests?
> I hope that isn't too ignorant of a question.
You will almost certainly cut some clients off from being able to resolve your domains if you do this.
All resolvers *SHOULD* support TCP however in non DNS circles there is a certain amount of ignorance to this where a percentage of people believe that DNS over TCP is only for zone transfers and of course my resolver doesn’t do zone transfers so I will block TCP at the firewall.
It’s difficult to assess how much impact this will have but I would advise you not to do it and if you do I would advise you put some measures in place to attempt to measure the amount of queries you receive before and after the change.
Senior DNS Engineer
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
More information about the nsd-users