Response Rate Limiting in the Domain Name System (DNS RRL)

This page describes DNS Response Rate Limiting (DNS RRL) which is an experimental feature for domain name servers including CZ-NIC Knot DNS, NLNetLabs NSD, and ISC BIND9.

These patches and instructions pertain to authority name servers or authoritative views. Use of this kind of rate limiting for recursive or hybrid servers or views is currently unspecified.

Note Well:This is DNS RRL, meant to be implemented in many different name servers, it is not a BIND specific feature even though BIND was the first name server for which DNS RRL was implemented. DNS RRL will eventually be submitted to the IETF for standardization work. The need for DNS RRL is immediate and pressing, and the IETF processing of this work was therefore planned to come last rather than first.

References:

Instructions for BIND9:

  • If you are not running Microsoft Windows on your name server:
    • Download the appropriate patch file (linked above)
    • Download a clean copy of BIND9 and un-tar it
    • Run "patch -p0 -l" while standing in the BIND9 source pool
    • Build the patched BIND9
  • If you are running Microsoft Windows on your name server:
    • Download one of the above-linked Microsoft Windows executables
  • Install the patched BIND9 server
  • Read the above-linked technical note and draft ARM text to familiarize yourself with the technology
  • Add something like this to your options block in your authoritative-only views:
        
    rate-limit {
        responses-per-second 15;
        window 5;
    };
    
  • Restart your name server and verify that it is operating normally
  • Test the rate limiting using a command similar to the one below:

    repeat 10 dig @server-ip-address +short +tries=1 +time=1 your-zone.com a

    The result should be at least one timeout out of the ten successive answers.

Beyond that:

Please consider joining the ratelimits mailing list in order to join discussions about this technology. Especially interesting are stories of what worked and what did not work.

Credits:

This work is a joint effort by Vernon Schryver and Paul Vixie.