> From: "Lawrence K. Chen, P.Eng." <lkc...@ksu.edu> > So does rate limiting cover when the attacker walks my DNS zone to > attack an IP?
that depends on what is meant by "rate limiting" and "walking a DNS zone". Simple rate limiting that counts all requests ostensibly from a single IP address regardless of (qname,qtype) differs from response rate limiting (RRL) which counts distinct responses. "Walking a zone" can differ from walking a zone's valid names (perhaps based on NSEC RRs or arithmetic as in a reverse zone). Simple rate limit is required to mitigate zone walking for valid names not based on a wildcard, because the valid responses differ for RRL. If you read the BIND9 RRL documentation, then you will find that simple rate limiting is supported by the BIND9 RRL patch. However, simple rate limiting is best done in a separate firewall to avoid spending CPU cycles, memory bandwidth, and other resources of the DNS server. Responses based on a wildcard or error responses such NXDOMAIN or REFUSED responses are considered identical by RRL and so are limited by the BIND RRL patch. On the other hand, an attack from ambitious bad guy who has built a list of 1,000,000 triples of (qname,qtype,DNS server IP) and does not hit any single DNS server more often than 5 requests/second will not be detected by any of the servers and so cannot be mitigated at the servers even with simple rate limiting. It is in a sense fortunate that DNSSEC is still so rare that finding 1,000,000 DNS server IP addresses with large amplification requires more effort than other reflection mechanisms. Vernon Schryver v...@rhyolite.com P.S. Maybe there should be an FAQ somewhere, because it seems as if I've written something similar often enough to irritate others. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
