-
Print
-
PDF
RRL on queries to the built-in _bind view
On servers that do not have Response Rate Limiting (RRL) configured, administrators may still see evidence of rate-limiting being logged. For example:
06-Jan-2021 18:05:30.521 rate-limit: info: client @0x7fc20c721370 192.0.2.189#52080 (hostname.bind): rate limit drop response to 192.0.2.0/24/24 for hostname.bind CH TXT (17a62589)
06-Jan-2021 18:07:37.838 rate-limit: info: stop limiting responses to 192.0.2.0/24 for hostname.bind CH TXT (17a62589)
BIND has a built-in _bind view that provides the following zones:
view "_bind" chaos {
recursion no;
notify no;
allow-new-zones no;
# Prevent use of this zone in DNS amplified reflection DoS attacks
rate-limit {
responses-per-second 3;
slip 0;
min-table-size 10;
};
zone "version.bind" chaos {
type master;
database "_builtin version";
};
zone "hostname.bind" chaos {
type master;
database "_builtin hostname";
};
zone "authors.bind" chaos {
type master;
database "_builtin authors";
};
zone "id.server" chaos {
type master;
database "_builtin id";
};
};
Some of the configuration can be overridden directly in named.conf by using the version, server-id and hostname options.
However, to disable or alter rate-limiting (for example if you have monitoring software sending these queries) you will need to define your own CH class view with different rate-limit settings.
Alternatively, ensure that your monitoring clients use DNS COOKIE (RFC7873) to learn the server cookie and send that in their requests. Requests with valid server cookies bypass RRL.