DNSVAULT 5.0
  • Introduction
  • Central Management
  • Fabric Management
  • Node Management
  • Service Management
    • DNS
      • Overview
      • Views
        • Zone
          • Inverse
            • Info
            • Host
            • SOA
            • NS
            • Nodes
            • Statements
            • DNSSEC
            • Logs
          • Reverse
            • Info
            • Host
            • SOA
            • NS
            • Nodes
            • Statements
            • DNSSEC
            • Logs
          • Response Policy
            • RPZ Zone
              • Info
              • Policies
              • Statements
              • Feed
        • Statements
        • Rate Limit
        • Fetch Limit
        • NXDomain Redirect
        • Bulk Upload
        • Attach Master Node
        • Attach Slave Node
        • Resource Record Service Option
        • Permission
        • Manage
      • TSIG
      • ACL
      • Servers
      • Options
      • Templates
  • Reports
Powered by GitBook
On this page

Was this helpful?

  1. Service Management
  2. DNS
  3. Views

Rate Limit

PreviousStatementsNextFetch Limit

Last updated 3 years ago

Was this helpful?

The rate-limit statement is used to limit identical response queries from the same client IP address based on a number of criteria. When rate-limiting is triggered the normal action is to simply drop the query response (this can be modified - see slip parameter below). While it is typically only used by Authoritative Name servers (masters or slaves) to mitigate the effects of DDoS amplification attacks it can be used by recursive servers (a.k.a full-service resolvers) as a method of load limiting but especially when very short (or 0) TTLs are used on cached RRs serious negative effects can result. The statement may be used in a global options or a view clause.

DNSVault rate-limit feature is limited only to queries received by UDP. Queries received by TCP are not limited but are counted in the statistics maintained by the rate-limit function. Rate-limit statements may be defined in either the options or a view clause. If a rate-limit statement appears in the global options clause and a view clause then the view clause version replaces all the parameters defined in the rate-limit of the options clause. Rate-limiting log messages may be streamed by defining the rate-limit category in the logging clause. When a rate-limit statement is encountered in a view clause it replaces that of the global options clause. The rate-limit statement can take an unhealthy number of optional, semi-colon(;) separated, parameters to provide fine control over the conditions under which rate-limiting is invoked and the form that rate-limiting will take:

Name

Value

Notes

responses-per-second

number

This parameter defines the number of identical responses per second (though actually recognized by the query characteristics) allowed from any given source IP address and liess in the range 0 to 1000. If not defined it defaults to 0 (indicates no limits are applied). Identical responses are defined as having the same query name (QNAME) and query type (QTYPE). The following are also counted as identical responses but each is separately counted and thus triggers its own rate-limit: referrals (defaulted to same count value as responses-per-second but can be separately controlled by referrals-per-second); empty responses (NODATA) (defaulted to same count valuee as responses-per-second but can be separately controlled by nodata-per-second); NXDOMAIN responses (defaulted to same count value as responses-per-second but can be separately controlled by nxdomain-per-second); all other errors (in this case the QNAME/QTYPE criteria is not used) such as SERVFAIL, REFUSED and FORMERR (defaulted to same count value as responses-per-second though these can be separately controlled by errors-per-second.

referrals-per-second

number

Defaults to value of responses-per-second. Typically used by Root/TLD's (or user domains with subdomain delegations) and defines the number of referrals per second allowed before rate-limiting is triggered. While typically used instead of responses-per-second in delegation centric domains (for example, TLDs) it may be used in conjunction with responses-per-second or nxdomains-per-second to cover error conditions in delegation centric or mixed domains. Setting a value of 0 indicates that no limits are applied for this category.

nodata-per-second

number

Defaults to the value of responses-per-second. This parameter may be used to separately control rate-limiting based on the number of NODATA responses. Setting a value of 0 indicates that no limits are applied for this category.

nxdomains-per-second

number

Defaults to the value of responses-per-second. This parameter may be used to separately control rate-limiting based on the number of NXDOMAIN (name does not exist) responses. Setting a value of 0 indicates that no limits are applied for this category.

errors-per-second

number

Defaults to the value of responses-per-second. The error count is incremented for each error irrespective of whether the QNAME/QTYPE are identical (the criteria used for all other counts). This parameter may be used to separately control rate-limiting based on the number of error (FORMERR, REFUSED, SERVFAIL) responses. Setting a value of 0 indicates that no limits are applied for this category.

all-per-second

number

The all-per-second parameter simply counts all the responses sent to a particular client IP - the normal identical query criteria is not applied. When the count exceeds number rate-limiting is triggered. The slip parameter is not effective when this parameter is non-zero. Caution should be exercised when using this parameter since certain actions - notably email - can trigger short bursts of hectic, but legitimate, DNS activity - in particular the value of the window parameter should be carefully considered as well as the value of number. Set to 0 by default (no rate-limiting is triggered for this criteria).

window

seconds

The rate-limiting function maintains a rolling window (in seconds) defined by this parameter. The window adds a longer-term dimension to rate limiting. Assume we define a responses-per-second value of 5 and window value of 5 then a single client is rate limited to 5 identical responses in any second and no more that 25 ( 5 x 5) such responses within any 5 second window period. May take a value in the range 1 to 3600 seconds. Default is 15 seconds.

log-only

yes | no

Default is no. If set to yes then the rate limiting function will not be performed will log (to rate-limit category of the logging clause) when the rate-limit function would have been invoked. It is a diagnostic aid to determine both the effectivess of a particular rate limiting policy and to check for accidental collateral damage.

qps-scale

number

Range allowed is 1 to very big number (actually 32 bit unsigned value, which is still a very big number). Default is not to apply qps-scaling. The rate limiting function calculates the approximate query per second load on the DNS from all sources (including TCP queries). The qps-scale, if defined, is then applied which may result in a reduction of the user supplied limits, such as responses-per-second during high-load situations. Thus, assume the user defined responses-per-second 10; and a qps-scale 200; then if the DNS server is receiving queries (from all sources, including TCP) at a rate of 500 per second the following algorithm is applied (qps-scale/DNS query arrival rate) * responses-per-second = effective rate-limit, substituting actual values gives (200/500) * 10 = 4, meaning that in the defined load conditions the 5th and subsequent identical response in any 1 second to any specific client will be dropped (or trigger any defined slip parameter action). The qps-scale value, if used, should thus be set to the maximum desired DNS transaction (query response) rate for the server.

ipv4-prefix-length

number

Range 1 to 32, default is 24. Rate-limiting is performed per client IP address where the client IP address is modified by the IP Prefix to create an IP address block. The default is 24 (256 IP addresses). Thus, if the incoming IP address is 192.168.2.45 then this is added to the count for the address block covering 192.168.2.0 to 192.168.2.255. If individual IP addresses are required for the purposes of rate-limiting then ipv4-prefix-length 32; should be used.

ipv6-prefix-length

number

Range 1 to 128, default is 56. Rate-limiting is performed per client IP address where the client IP address is modified by the IP Prefix to create an IP address block. The default is 56 (lots of IPv6 addresses). Thus, if the incoming IP address is 2001:db8::fe then this is added to the count for the address block covering 2001:db8:: to 2001:db8::FF:FFFF:FFFF:FFFF. If individual IP addresses are required for the purposes of rate-limiting then ipv6-prefix-length 128; should be used.

slip

number

By default the rate-limit function simply drops the response. The slip parameter allows the DNS to set the Truncate (TC) bit in the response which has the effect of forcing the requestor to use TCP. The default is 0 which means that all identical responses are dropped. A value in the range 1 to 10 (maximum allowed) indicates that every n'th message has the TC bit set, thus 1 means that every message has the TC bit set and 7 means every 7th message has the TC bit set. Forcing use of TCP will slow up the requestor slightly (though a zombie used in a DDoS attack may not even retry) but will increase the load on the DNS (TCP uses more round trip messages).

exempt-clients

address-match-list

Defines an address match list structure of all clients to whom the rate-limiting function does not apply, for example, known or trusted sources whose address cannot be forged due to architectural/network design. Defaults to exempt-clients {none;};.

max-table-size

number

Rate-limit information is defined in tables (each entry of which lies in the range 40 to 80 bytes). A maximum size of 20K entries is defaulted for all rate-limiting tables covered by this rate-limit statement. The range allowed is min-table-size (default is 500) to a very big number (32 bit unsigned).

min-table-size

number

Rate-limit information is defined in tables (each entry of which lies in the range 40 to 80 bytes). A minimum size of 500 entries is defaulted at start-up (the table is allowed to grow to max-table-size) for all rate-limiting tables covered by this rate-limit statement. The range allowed is 1 to max-table-size.