Hey Onur, I would guess it depends on your setup and how many traffic you receive. [1] gives as an example a value of 10 responses per second, which I would say is a good place to start. [5] gives a value of 5 responses per second and I get the impression that that is the value used by the F root servers. You can always implement RRL on one of your authoritative name servers with a value of 10 and try lower values if all seems to be ok.
Both resources are from ISC so I would say they are good advice to start with. PS: RRL is disabled by default so the default value is "0", meaning "no limit" (see the ARM for version 9.16.8 on page 73). [1]: https://kb.isc.org/docs/aa-00994 [2]: https://conference.apnic.net/data/37/apricot-2014-rrl_1393309768.pdf Best regards, Tom On Fri, 27 Nov 2020 at 08:00, Onur GURSOY <onurgursoyg...@gmail.com> wrote: > > Hello Everyone, > > Bind9 is a good product and benchmark. > It has good documentation especially about vulnerabilities. > I wonder one thing, nowadays, > > For brute force, reflection, ampliciation and etc. attacks, there is > prevention which is name response rate limit (RRL). > Question: > What is the default value rate-limit ? > What is the best practise, best value for rate-limit clause . > > Thanks in advance. > Have nice day and healthy day, > With best regards > > -- > Onur GÜRSOY > R&D Engineer in Embedded Systems > Master Student at Gebze Institute Of Technology > Department Of Electronic Engineering > GSM : 0(545) 764 7653 > e-mail: onurgursoyg...@gmail.com > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users