> From: Jim Reid <[email protected]> > I suppose a name server could keep a (small?) cache of recently > marshalled answers and use that to either rate limit responses which > are too large or identical to one that has recently been sent to the > same IP address(es). [For some definition of large and recent.]
A problem with that thought is what I tried to state before, that there is no definition of "large" that is small enough to permit an exemption from rate limiting but not so small that it keeps mininimal DNS responses rate limited. For example, seems that <random>.rfc1035.com to your 93.186.33.42 is good for a 2X amplified stream of NXDMOAINS. 2X is small but too high for DoS victims to tolerate. I trust you will eventually turn on DNSSEC, which will probably boost your amplification of random requests well above 5X. > It > could be good to have something which rate limits outgoing responses > in addition to what's done with incoming queries. Please recall that RRL stands for *response* rate limiting and neither *query* rate limiting nor *client* rate limiting. The differences are significant. Among those differences is one that wrecks the goal of turning off RRL for those mythical small enough to not be amplified responses. Because RRL is about rate limiting responses instead of clients, there is few or no good reasons to turn it off for large or small legitimate responses. Legitimate responses are not frequently repeated and so don't get dropped except in rare or dubious scenarios. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
