Response Rate Limiting in the Domain Name System (DNS RRL)

This page describes DNS Response Rate Limiting (DNS RRL) which is an advanced pre-standard feature for domain name servers including CZ-NIC Knot DNS, NLNetLabs NSD, and ISC BIND9.

These patches and instructions pertain to authority name servers or authoritative views. Use of this kind of rate limiting for recursive or hybrid servers or views is currently unspecified.

Note Well:This is DNS RRL, meant to be implemented in many different name servers, it is not a BIND specific feature even though BIND was the first name server for which DNS RRL was implemented. DNS RRL will eventually be submitted to the IETF for standardization work. The need for DNS RRL is immediate and pressing, and the IETF processing of this work was therefore planned to come last rather than first.

References:

Instructions for BIND9:

  • Install the patched BIND9 server (BIND9 9.10 or later)
  • Read the above-linked technical note to familiarize yourself with the technology
  • Add something like this to your options block in your authoritative-only views:
        
    rate-limit {
        responses-per-second 15;
        window 5;
    };
    
  • Restart your name server and verify that it is operating normally
  • Test the rate limiting using a command similar to the one below:

    repeat 10 dig @server-ip-address +short +tries=1 +time=1 your-zone.com a

    The result should be at least one timeout out of the ten successive answers.

Beyond that:

Please consider joining the ratelimits mailing list in order to join discussions about this technology. Especially interesting are stories of what worked and what did not work.

Credits:

This work is a joint effort by Vernon Schryver and Paul Vixie.