RRL on queries to the built-in _bind view
  • 11 Jan 2021
  • 1 Minute to read
  • Contributors
  • PDF

RRL on queries to the built-in _bind view

  • PDF

Article summary

On servers that do not have Response Rate Limiting (RRL) configured, administrators may still see evidence of rate-limiting being logged. For example:

06-Jan-2021 18:05:30.521 rate-limit: info: client @0x7fc20c721370 192.0.2.189#52080 (hostname.bind): rate limit drop response to 192.0.2.0/24/24 for hostname.bind CH TXT  (17a62589)
06-Jan-2021 18:07:37.838 rate-limit: info: stop limiting responses to 192.0.2.0/24 for hostname.bind CH TXT  (17a62589)

BIND has a built-in _bind view that provides the following zones:

view "_bind" chaos {
        recursion no;
        notify no;
        allow-new-zones no;

        # Prevent use of this zone in DNS amplified reflection DoS attacks
        rate-limit {
                responses-per-second 3;
                slip 0;
                min-table-size 10;
        };

        zone "version.bind" chaos {
                type master;
                database "_builtin version";
        };

        zone "hostname.bind" chaos {
                type master;
                database "_builtin hostname";
        };

        zone "authors.bind" chaos {
                type master;
                database "_builtin authors";
        };

        zone "id.server" chaos {
                type master;
                database "_builtin id";
        };
};

Some of the configuration can be overridden directly in named.conf by using the version, server-id and hostname options.

However, to disable or alter rate-limiting (for example if you have monitoring software sending these queries) you will need to define your own CH class view with different rate-limit settings.

Alternatively, ensure that your monitoring clients use DNS COOKIE (RFC7873) to learn the server cookie and send that in their requests. Requests with valid server cookies bypass RRL.