Understood. I already have ACLs defined. So I can use
"rate-limit{exempt-clients{address-match-list}}; " statement to exclude my
client addresses from the RRL checks. Thanks.
Rohan
On Fri, 3 May 2013 20:13:47 GMT
Vernon Schryver <v...@rhyolite.com> wrote:
>> From: <rohan.he...@cwjamaica.com>
>
>> >What if both authoritative and recursive are running on the same
>> >server since RRL does not apply to recursive servers?
>
>> Found the answer to below.
>>
>> According to isc-tn-2012-1.txt hybrid authority/recursive servers
>> are out of scope.
>
>I disagree. What isc-tn-2012-1.txt says is
> Deliberately open recursive DNS
> servers, or hybrid authority/recursive servers or server views, are
> outside the scope of ***THIS DOCUMENT.*** (emphasis added)
>
>Recursive servers should be closed instead of open to the Internet.
>When a single BIND instance is used for both local recursive service
>and global authoritative service, a good way to close the recursive
>service to the Internet while providing authoritative service to the
>Internet is with two views. The external view can disable recursion
>and include a rate-limit{} statement to apply RRL to responses to
>external DNS clients. Another way to close recursion to the Internet
>is to use allow-recursion{address-match-list}; and
>rate-limit{exempt-clients{address-match-list}}; statements in the main
>options statement.
>
>If you must keep your recursive server open, Internet, then you MUST
>do some sort of rate limiting. If you cannot do rate limiting that
>is even fancier than RRL such as Google's, then an open recursive
>server with RRL is far better than a naked open recursive DNS server.
>See https://developers.google.com/speed/public-dns/docs/security#rate_limit
>
>The problem with RRL on recursive servers is that it works. Any rate
>limiting sufficiently low to minimize the danger of DNS reflection DoS
>attacks including RRL can affect applications such as web browsers and
>SMTP servers (mail receivers) that send bursts of identical DNS requests.
>With RRL, those effects are generally limited to pauses and slow downs
>as affected applications time out and retry.
>
>
>Vernon Schryver v...@rhyolite.com
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
Rohan Henry
Server Administrator
Cable And Wireless Jamaica
Phone (876) 936-4819
Mobile (876) 997-0729
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
