Rate Limit

Rate Limit
Email Security

29 July, 2020

Rate Limit

The rate-limit statement is used to limit identical response queries from the same client IP address based on a number of criteria. When rate limiting is triggered the normal action is to simply drop the query response. While it is typically only used by Authoritative Name servers to mitigate the effects of DDoS amplification attacks it can be used by recursive servers when very short TTLs are used on cached RRs serious negative effects can result.

 

rate-limit {

     [ responses-per-second number ; ]

     [ referrals-per-second number ; ]

     [ nodata-per-second number ; ]

     [ nxdomains-per-second number ; ]

     [ errors-per-second number ; ]

     [ all-per-second number ; ]

     [ window number ; ]

     [ log-only yes_or_no ; ]

     [ qps-scale number ; ]

     [ ipv4-prefix-length number ; ]

     [ ipv6-prefix-length number ; ]

     [ slip number ; ]

     [ exempt-clients { address_match_list } ; ]

     [ max-table-size number ; ]

     [ min-table-size number ; ]

};

 

Rate limit feature is limited only to queries received by UDP. Queries received by TCP are not limited but are counted in the statistics maintained by the rate limit function.

If a rate limit statement appears in the global options clause and a view clause then the view clause version replaces all the parameters defined in the rate limit of the options clause.

When a rate limit statement is encountered in a view clause it replaces that of the global options clause. The rate-limit statement can take an unhealthy number of optional, semi-colon(;) separated, parameters to provide fine control over the conditions under which rate limiting is invoked and the form that rate-limiting will take:

 

Name

Value

Notes

responses-per-second

number

This parameter defines the number of identical responses per second (though actually recognized by the query characteristics) allowed from any given source IP address and liess in the range 0 to 1000. If not defined it defaults to 0 (indicates no limits are applied). Identical responses are defined as having the same query name (QNAME) and query type (QTYPE).

referrals-per-second

number

 Defaults to the value of responses-per-second. Typically used by Root/TLD's (or user domains with subdomain delegations) and defines the number of referrals per second allowed before rate-limiting is triggered. Setting a value of 0 indicates that no limits are applied for this category.

nodata-per-second

number

Defaults to the value of responses-per-second. This parameter may be used to separately control rate-limiting based on the number of NODATA responses. Setting a value of 0 indicates that no limits are applied for this category.

nxdomains-per-second

number

Defaults to the value of responses-per-second. This parameter may be used to separately control rate-limiting based on the number of NXDOMAIN (name does not exist) responses. Setting a value of 0 indicates that no limits are applied for this category.

errors-per-second

number

Defaults to the value of responses-per-second. The error count is incremented for each error irrespective of whether the QNAME/QTYPE are identical (the criteria used for all other counts). This parameter may be used to separately control rate-limiting based on the number of error (FORMERR, REFUSED, SERVFAIL) responses. Setting a value of 0 indicates that no limits are applied for this category.

all-per-second

number

The all-per-second parameter simply counts all the responses sent to a particular client IP - the normal identical query criteria is not applied. When the count exceeds number rate-limiting is triggered. The slip parameter is not effective when this parameter is non-zero.

window

seconds

The rate-limiting function maintains a rolling window (in seconds) defined by this parameter. The window adds a longer-term dimension to rate limiting. Assume we define a responses-per-second value of 5 and window value of 5 then a single client is rate limited to 5 identical responses in any second and no more that 25 ( 5 x 5) such responses within any 5 second window period. May take a value in the range 1 to 3600 seconds. Default is 15 seconds.

log-only

yes | no

Default is no. If set to yes then the rate limiting function will not be performed will log.

qps-scale

number

Range allowed is 1 to very big number (actually 32 bit unsigned value, which is still a very big number). The rate limiting function calculates the approximate query per second load on the DNS from all sources (including TCP queries). Assume the user defined responses-per-second 10; and a qps-scale 200; then if the DNS server is receiving queries at a rate of 500 per second the following algorithm is applied (qps-scale/DNS query arrival rate) * responses-per-second = effective rate-limit, substituting actual values gives (200/500) * 10 = 4, meaning that in the defined load conditions the 5th and subsequent identical response in any 1 second to any specific client will be dropped. The qps-scale value, if used, should thus be set to the maximum desired DNS transaction (query response) rate for the server.

ipv4-prefix-length

number

Range 1 to 32, default is 24. Rate-limiting is performed per client IP address where the client IP address is modified by the IP Prefix to create an IP address block. The default is 24 (256 IP addresses). Thus, if the incoming IP address is 192.168.2.45 then this is added to the count for the address block covering 192.168.2.0 to 192.168.2.255. If individual IP addresses are required for the purposes of rate-limiting then ipv4-prefix-length 32; should be used.

ipv6-prefix-length

number

Range 1 to 128, default is 56. Rate-limiting is performed per client IP address where the client IP address is modified by the IP Prefix to create an IP address block. The default is 56 (lots of IPv6 addresses). Thus, if the incoming IP address is 2001:db8::fe then this is added to the count for the address block covering 2001:db8:: to 2001:db8::FF:FFFF:FFFF:FFFF. If individual IP addresses are required for the purposes of rate-limiting then ipv6-prefix-length 128; should be used.

slip

number

By default the rate-limit function simply drops the response. The slip parameter allows the DNS to set the Truncate (TC) bit in the response which has the effect of forcing the requestor to use TCP. The default is 0 which means that all identical responses are dropped. A value in the range 1 to 10 (maximum allowed) indicates that every n'th message has the TC bit set, thus 1 means that every message has the TC bit set and 7 means every 7th message has the TC bit set.

exempt-clients

address-match-list

Defines an address match list structure of all clients to whom the rate-limiting function does not apply, for example, known or trusted sources whose address cannot be forged due to architectural/network design. Defaults to exempt-clients {none;};.

max-table-size

number

Rate-limit information is defined in tables (each entry of which lies in the range 40 to 80 bytes). A maximum size of 20K entries is defaulted for all rate-limiting tables covered by this rate-limit statement. The range allowed is min-table-size (default is 500) to a very big number (32 bit unsigned).

min-table-size

number

Rate-limit information is defined in tables (each entry of which lies in the range 40 to 80 bytes). A minimum size of 500 entries is defaulted at start-up (the table is allowed to grow to max-table-size) for all rate-limiting tables covered by this rate-limit statement. The range allowed is 1 to max-table-size.

 

Request Your Complimentary Domain Analysis