[nsd-users] Request Rate Limiting
Michael A. Peters
mpeters at domblogger.net
Fri Sep 30 20:41:34 UTC 2016
I run 3 authoritative nameservers. I master in Texas, 1 slave in
California, 1 slave in London.
I am small time, maybe a dozen zones. I just really did not like the
limitations of DNS management that hosting providers and registrars
have, especially wanting me to pay a fee to have DNSSEC yet still have
many of the limitations.
In light of the recent massive DDoS attacks I want to make damn sure
that I have RRL properly implemented.
I do keep up to date with the latest NSD and it is compiled with rate
limiting option.
What is the best way though to test the effectiveness of my rate
limiting and determine whether or not it is good enough? Is there by
chance a test service similar to ssllabs where I can test the quality of
my rate limiting?
Secondly, has anyone looked at the real world implications of refusing
UDP? Especially with DNSSEC it seems TCP is more logical and a lot of
DNS requests expecting a large response use TCP anyway.
Could we eliminate the DDoS threat by just turning off UDP?
Recursive servers I understand probably have to keep accepting them, but
authoritative servers are only intended for recursive servers to query,
so would it be safe to just drop port 53 UDP requests?
I hope that isn't too ignorant of a question.
More information about the nsd-users
mailing list