nsd users - Sep 2016 - Request Rate Limiting

I run 3 authoritative nameservers. I master in Texas, 1 slave in 
California, 1 slave in London.

I am small time, maybe a dozen zones. I just really did not like the 
limitations of DNS management that hosting providers and registrars 
have, especially wanting me to pay a fee to have DNSSEC yet still have 
many of the limitations.

In light of the recent massive DDoS attacks I want to make damn sure 
that I have RRL properly implemented.

I do keep up to date with the latest NSD and it is compiled with rate 
limiting option.

What is the best way though to test the effectiveness of my rate 
limiting and determine whether or not it is good enough? Is there by 
chance a test service similar to ssllabs where I can test the quality of 
my rate limiting?

Secondly, has anyone looked at the real world implications of refusing 
UDP? Especially with DNSSEC it seems TCP is more logical and a lot of 
DNS requests expecting a large response use TCP anyway.

Could we eliminate the DDoS threat by just turning off UDP?

Recursive servers I understand probably have to keep accepting them, but 
authoritative servers are only intended for recursive servers to query, 
so would it be safe to just drop port 53 UDP requests?

I hope that isn't too ignorant of a question.

Michael A. Peters:
> Could we eliminate the DDoS threat by just turning off UDP?
>
> Recursive servers I understand probably have to keep accepting them,  
> but authoritative servers are only intended for recursive servers to  
> query, so would it be safe to just drop port 53 UDP requests?
good question.
I'll relay the question to dnsop at ietf.org...

Andreas

Hi,
> On 30 Sep 2016, at 21:41, Michael A. Peters <mpeters at
domblogger.net> wrote:
> 
> I run 3 authoritative nameservers. I master in Texas, 1 slave in
California, 1 slave in London.
> 
> I am small time, maybe a dozen zones. I just really did not like the
limitations of DNS management that hosting providers and registrars have,
especially wanting me to pay a fee to have DNSSEC yet still have many of the
limitations.
> 
> In light of the recent massive DDoS attacks I want to make damn sure that I
have RRL properly implemented.
> 
> I do keep up to date with the latest NSD and it is compiled with rate
limiting option.
> 
> What is the best way though to test the effectiveness of my rate limiting
and determine whether or not it is good enough? Is there by chance a test
service similar to ssllabs where I can test the quality of my rate limiting?
> 
> Secondly, has anyone looked at the real world implications of refusing UDP?
Especially with DNSSEC it seems TCP is more logical and a lot of DNS requests
expecting a large response use TCP anyway.
> 
> Could we eliminate the DDoS threat by just turning off UDP?
> 
> Recursive servers I understand probably have to keep accepting them, but
authoritative servers are only intended for recursive servers to query, so would
it be safe to just drop port 53 UDP requests?
> 
> I hope that isn't too ignorant of a question.
You will almost certainly cut some clients off from being able to resolve your
domains if you do this.

All resolvers *SHOULD* support TCP however in non DNS circles there is a certain
amount of ignorance to this where a percentage of people believe that DNS over
TCP is only for zone transfers and of course my resolver doesn?t do zone
transfers so I will block TCP at the firewall.

It?s difficult to assess how much impact this will have but I would advise you
not to do it and if you do I would advise you put some measures in place to
attempt to measure the amount of queries you receive before and after the
change.

Regards


--
Brett Carr
Senior DNS Engineer
Nominet UK


> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users