Next: , Previous: , Up: Knot DNS Configuration   [Contents][Index]


4.9 Using Response Rate Limiting

Response rate limiting (RRL) is a method to combat recent DNS reflection amplification attacks. These attacked rely on the fact that source address of a UDP query could be forged, and without a worldwide deployment of BCP38, such a forgery could not be detected. Attacker could then exploit DNS server responding to every query, potentially flooding the victim with a large unsolicited DNS responses.

As of Knot DNS version 1.2.0, RRL is compiled in, but disabled by default. You can enable it with the rate-limit option in the system section. Setting to a value greater than 0 means that every flow is allowed N responses per second, (i.e. rate-limit 50; means 50 responses per second). It is also possible to configure SLIP interval, which causes every Nth blocked response to be slipped as a truncated response. Not that some error responses cannot be truncated and are slipped as-is. For more information, refer to rate-limit-slip. It is advisable to not set slip interval to a value larger than 1.

Example configuration:

system {
	rate-limit 200;    # Each flow is allowed to 200 resp. per second
	rate-limit-slip 1; # Every response is slipped (default)
}