16

Are there typically rate limits to querying DNS? If I want to ask 8.8.8.8 for about 30k queries, how slowly must I make the requests so as not to cause or get in trouble?

I've searched for rate limits on dns queries but I'm not finding any relevant results.

Jason Kleban
  • 786
  • 3
  • 8
  • 19
  • 2
    1. Why wouldn't you ask the entity that manages 8.8.8.8? 2. What kind of `trouble` are you imagining? – joeqwerty Mar 13 '14 at 20:09
  • 1
    sorry, 8.8.8.8 is google's public DNS. And the "trouble" would be either causing a DoS (unlikely) or at least appearing to be attempting a DoS (even though I'm not, the purpose is legit). – Jason Kleban Mar 13 '14 at 20:13
  • And I've reviewed google's FAQs and I don't see hard numbers. But that doesn't mean they would take kindly to it. I'm just checking. – Jason Kleban Mar 13 '14 at 20:15
  • How many queries per second do you think 8.8.8.8 handles? Do you really think you can DoS google? – toppledwagon Mar 13 '14 at 20:17
  • No I don't think I can DoS google. I said that. But I just don't know what the limit is before I end up on some blacklist. – Jason Kleban Mar 13 '14 at 20:18
  • @toppledwagon - roughly about 800,000/sec. But they do limit QPS per IP. – TheCleaner Mar 13 '14 at 20:27
  • @jason could you use a proxy ? Something like DotProxy to query on different dns concurrently. I'm also looking at this – CodeGuru Mar 18 '19 at 10:12
  • In theory you could use WHOIS or RDAP to determine the authoritative nameserver for each domain, and only fall-back to a non-authoritative NS like 8.8.8.8 or 1.1.1.1. – jchook Feb 21 '21 at 02:54

1 Answers1

12

Google does do response rate limiting on their DNS servers.

You can see their full info here: https://developers.google.com/speed/public-dns/docs/security#rate_limit

Google Public DNS implements two kinds of rate control:

  • Rate control of outgoing requests to other nameservers. To protect other DNS nameservers against DoS attacks that could be launched from our resolver servers, Google Public DNS enforces per-nameserver QPS limits on outgoing requests from each serving cluster.

  • Rate control of outgoing responses to clients. To protect any other systems against amplification and traditional distributed DoS (botnet) attacks that could be launched from our resolver servers, Google Public DNS performs two types of rate limiting on client queries: To protect against traditional volume-based attacks, each server
    imposes per-client-IP QPS and average bandwidth limits. To guard against amplification attacks, in which large responses to small queries are exploited, each server enforces a per-client-IP maximum average amplification factor. The average amplification factor is a configurable ratio of response-to-query size, determined from historical traffic patterns observed in our server logs.

    If queries from a specific source IP address exceed the maximum QPS, or exceed the average bandwidth or amplification limit consistently (the occasional large response will pass), we return (small) error responses or no response at all.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188