[nsd-users] Request Rate Limiting

Michael A. Peters mpeters at domblogger.net
Fri Sep 30 20:41:34 UTC 2016

I run 3 authoritative nameservers. I master in Texas, 1 slave in 
California, 1 slave in London.

I am small time, maybe a dozen zones. I just really did not like the 
limitations of DNS management that hosting providers and registrars 
have, especially wanting me to pay a fee to have DNSSEC yet still have 
many of the limitations.

In light of the recent massive DDoS attacks I want to make damn sure 
that I have RRL properly implemented.

I do keep up to date with the latest NSD and it is compiled with rate 
limiting option.

What is the best way though to test the effectiveness of my rate 
limiting and determine whether or not it is good enough? Is there by 
chance a test service similar to ssllabs where I can test the quality of 
my rate limiting?

Secondly, has anyone looked at the real world implications of refusing 
UDP? Especially with DNSSEC it seems TCP is more logical and a lot of 
DNS requests expecting a large response use TCP anyway.

Could we eliminate the DDoS threat by just turning off UDP?

Recursive servers I understand probably have to keep accepting them, but 
authoritative servers are only intended for recursive servers to query, 
so would it be safe to just drop port 53 UDP requests?

I hope that isn't too ignorant of a question.

More information about the nsd-users mailing list