9

In my DNS server's named.conf I see

    rate-limit {
            responses-per-second 5;
            window 5;
    };

What does this actually mean? And can it cause DNS clients problems? Is this too tight a configuration?

Red Cricket
  • 462
  • 2
  • 7
  • 20
  • 2
    As for "what does it actually mean" I would recommend the [relevant section in the manual](http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2588961), also see the [same section for the upcoming 9.10 version](http://ftp.isc.org/isc/bind9/9.10.0b2/doc/arm/Bv9ARM.ch06.html#id2590192) – Håkan Lindqvist Mar 30 '14 at 09:20
  • Here's a more relevant link https://bind9.readthedocs.io/en/latest/reference.html?highlight=rate-limit#response-rate-limiting since the preceding link was broken... – Thomas N Oct 06 '21 at 16:25

5 Answers5

13

You should read the administrator reference manual for BIND 9.9.

Basically, responses-per-second is the number of identical replies that can be sent to one single destination, per second. The definitions are tricky.

A single destination is a block of network addresses, of the size configured in ipv4-prefix-length or ipv6-prefix-length as applicable. So, if the ipv4-prefix-length is 24, and both 192.0.2.1 and 192.0.2.2 are querying the DNS server, they will share this quota and can only send so many queries between the two of them.

Identical replies are replies to queries for a particular RRtype for a particular existent name, or for a nonexistent name. The following queries are all distinct:

IN A example.net.
IN A www.example.net.
IN AAAA example.net.
IN A nonexistent.domain.example.net.

However, all of the following queries are identical (assuming nonexistent.domain.example.net. etc. live up to their names):

IN A nonexistent.domain.example.net.
IN A nonexistent.domain2.example.net.
IN SOA other.nonexistent.domain.example.net.

window complicates things a little more still. It is the number of seconds for which quota can be banked. Multiplying window and responses-per-second gives the maximum by which any quota can be positive, or in more basic terms, the burst capacity.

To give a catch-all example:

You are the nonrecursing, authoritative nameserver for example.net.. Imagine no DNS traffic was seen at all in the past 10 seconds, and the configuration in the question applies globally. The following events happen sequentially:

  1. Host 198.51.100.1 sends 100 queries for IN NS example.net.. 25 will be allowed, and the remaining 75 will be ignored.
  2. Host 198.51.100.1 sends 100 queries for IN A nonexistent.example.net.. 25 will be allowed, and the remaining 75 will be ignored.
  3. Host 198.51.100.1 sends 1 query for IN MX nonexistent-domain.example.net. It will be ignored since the limit for nonexistent domains has been reached.
  4. Host 198.51.100.1 sends 1 query for IN A example.net.. It is allowed.
  5. Hosts 192.0.2.1 through 192.0.2.50 each send a single query for IN NS example.net.. 25 of them get replies and the remaining 25 are ignored; the quota for 198.51.100.0/24 does not apply to these hosts, but they share the quota for 192.0.2.0/24.
  6. One second passes
  7. Hosts 192.0.2.26 through 192.0.2.50 repeat their query IN NS example.net.. 5 of them get replies and the remaining 20 are ignored, since the quota is only replenished by 5 queries per second.
Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
8

It limits the number of identical responses a single DNS client can get in a second. The window 5 option allows a burst of 5*5 responses.

"Identical responses" and "single DNS client" are a bit non-obvious terms here, read this for more info: http://web.archive.org/web/20140209100744/http://ss.vix.su/~vjs/rl-arm.html .

Generally it's a good thing to rate-limit - may help you in case of a DOS attack some day. The defaults should be OK for most cases.

Fa11enAngel
  • 303
  • 3
  • 8
skarap
  • 733
  • 5
  • 7
  • The part about "burst" in the first paragraph is wrong. `window` is only used for controlling the timespan within which "identical responses" sent to each "single DNS client" are tracked. The [BIND 9 Administrator Reference Manual](ftp://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.pdf) states: _The [client's RRL] account **cannot become more positive than the per-second limit** or more negative than `window` times the per-second limit._ [This message](http://lists.redbarn.org/pipermail/ratelimits/2013-July/000458.html) by Vernon Schryver explains the algorithm's behavior in more detail. – Kempniu May 20 '15 at 09:14
4
iptables -A INPUT -p udp --dport 53 -m recent --set --name dnslimit
iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 60 --hitcount 11 --name dnslimit -j DROP

IPtables can work just as well. Keeps the traffic out of the service completely if an attack is found.

Jeremy Visser
  • 1,405
  • 8
  • 16
Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77
  • awesome! I didn't even think of iptables. But what does that mean in English. I can guess ... if some IP sends 11 or more dns queries block them for 60 seconds, right? – Red Cricket Mar 22 '13 at 06:44
  • No, the translation is : Accept no more than 11 packets within a timeframe of 60 seconds, drop all other packets. – drcelus Mar 22 '13 at 07:38
  • 1
    I had a problem, after try to apply your nice solution I had an error like: "iptables: Applying firewall rules: iptables-restore v1.4.7: -c packet counter not numeric Error occurred at line: 17" Line 17 is the first one of yours. I should load some specific module? –  May 06 '13 at 06:46
  • first line should be as follow: iptables -A INPUT -p udp -m udp --dport 53 -m recent --set --name dnslimit --rsource –  May 12 '13 at 05:43
  • 2
    I wouldn't go as far as saying say that it "works just as well". This rate limits without any idea if it's actually the same query being spammed or different queries, the latter would much more likely be legitimate traffic. – Håkan Lindqvist Mar 30 '14 at 09:26
0

I have a very close configuration (No Window 5 value) on an operational bind 9 server which is suffering an Amplification Attack. I have done DNS Packet Capture and the Server was correctly answering the legitimate queries and not responding to the Attack queries. This was a 5000 packet capture over a period of about 30 minutes. These values have completely thwarted the Attack from my point of view.

Dale
  • 11
  • 1
0

I don't think its a good idea to rate limit, ask yourself : do you rate limit the webserver responses too? Why do you think DNS responses are less important than webserver responses?
And even if you rate limit, that 5 req/sec sounds very low.

Sandor Marton
  • 1,544
  • 9
  • 12
  • 2
    Ratelimiting webserver responses might nog be such a bad idea in certain cases. But DNS is mostly UDP, which is easily spoofed (unlike http), so rate limiting is necessary prevent you nameservers from being used in amplification or reflection attacks. – arjarj May 12 '13 at 13:31
  • If he is not an open resolver then i don't think its a good target for reflection/amplification attacks, but you have right. 5 req/sec i still think is too low. – Sandor Marton May 12 '13 at 13:49
  • 1
    He doesn't specify if it's a recursive or an authoritative server. For an authoritative server rate limiting still is important. Also, it's not just 5 requests per second, it's 5 of the same answers per second, and even corrected if you generate different answers. Generally the 5 requests-per-second setting is fine on bind (because a legitimate server also asks other questions in between). – arjarj May 12 '13 at 14:17
  • Ok, i checked the docs and as i see rate-limit is a per client setting and not per server. I was under the impression that bind would be limited to a total if 5req/s. Per client 5req/sec is ok. – Sandor Marton May 12 '13 at 14:40