Bind DNS rate-limit and values for responses-per-second and window
Solution 1:
You should read the administrator reference manual for BIND 9.9.
Basically, responses-per-second
is the number of identical replies that can be sent to one single destination, per second. The definitions are tricky.
A single destination is a block of network addresses, of the size configured in ipv4-prefix-length
or ipv6-prefix-length
as applicable. So, if the ipv4-prefix-length
is 24, and both 192.0.2.1
and 192.0.2.2
are querying the DNS server, they will share this quota and can only send so many queries between the two of them.
Identical replies are replies to queries for a particular RRtype for a particular existent name, or for a nonexistent name. The following queries are all distinct:
IN A example.net.
IN A www.example.net.
IN AAAA example.net.
IN A nonexistent.domain.example.net.
However, all of the following queries are identical (assuming nonexistent.domain.example.net.
etc. live up to their names):
IN A nonexistent.domain.example.net.
IN A nonexistent.domain2.example.net.
IN SOA other.nonexistent.domain.example.net.
window
complicates things a little more still. It is the number of seconds for which quota can be banked. Multiplying window
and responses-per-second
gives the maximum by which any quota can be positive, or in more basic terms, the burst capacity.
To give a catch-all example:
You are the nonrecursing, authoritative nameserver for example.net.
. Imagine no DNS traffic was seen at all in the past 10 seconds, and the configuration in the question applies globally. The following events happen sequentially:
- Host 198.51.100.1 sends 100 queries for
IN NS example.net.
. 25 will be allowed, and the remaining 75 will be ignored. - Host 198.51.100.1 sends 100 queries for
IN A nonexistent.example.net.
. 25 will be allowed, and the remaining 75 will be ignored. - Host 198.51.100.1 sends 1 query for
IN MX nonexistent-domain.example.net.
It will be ignored since the limit for nonexistent domains has been reached. - Host 198.51.100.1 sends 1 query for
IN A example.net.
. It is allowed. - Hosts 192.0.2.1 through 192.0.2.50 each send a single query for
IN NS example.net.
. 25 of them get replies and the remaining 25 are ignored; the quota for 198.51.100.0/24 does not apply to these hosts, but they share the quota for 192.0.2.0/24. - One second passes
- Hosts 192.0.2.26 through 192.0.2.50 repeat their query
IN NS example.net.
. 5 of them get replies and the remaining 20 are ignored, since the quota is only replenished by 5 queries per second.
Solution 2:
It limits the number of identical responses a single DNS client can get in a second. The window 5
option allows a burst of 5*5 responses.
"Identical responses" and "single DNS client" are a bit non-obvious terms here, read this for more info: http://web.archive.org/web/20140209100744/http://ss.vix.su/~vjs/rl-arm.html .
Generally it's a good thing to rate-limit - may help you in case of a DOS attack some day. The defaults should be OK for most cases.
Solution 3:
iptables -A INPUT -p udp --dport 53 -m recent --set --name dnslimit
iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 60 --hitcount 11 --name dnslimit -j DROP
IPtables can work just as well. Keeps the traffic out of the service completely if an attack is found.