Extend rate-limit features to protect recursor from bad clients
Description
In our organization, some users are using resperf
to send many queries to our DNS with the intention of degrading the service or even blocking it for legitimate users.
We have used our firewall to rate limit access to ports 53 UDP and TCP per client.
We have also verified that BIND9's rate-limit functions, which are designed to prevent other types of attacks, can also be used in this case to block excessive UDP queries.
Something like:
rate-limit {
responses-per-second 75;
all-per-second 200;
window 3;
max-table-size 2000000;
min-table-size 500000;
ipv4-prefix-length 32;
};
Blocks excessive queries from the attacker and preserves resources for the rest of the users when the attacker uses UDP to make queries.
Request
It would be great if BIND9's rate-limit functions could rate limit queries sent by attackers regardless of the protocol used by the attacker.
Thank you very much.
Links / references
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-rate-limit