I run 3 authoritative nameservers. I master in Texas, 1 slave in California, 1 slave in London.
I am small time, maybe a dozen zones. I just really did not like the limitations of DNS management that hosting providers and registrars have, especially wanting me to pay a fee to have DNSSEC yet still have many of the limitations.
In light of the recent massive DDoS attacks I want to make damn sure that I have RRL properly implemented.
I do keep up to date with the latest NSD and it is compiled with rate limiting option.
What is the best way though to test the effectiveness of my rate limiting and determine whether or not it is good enough? Is there by chance a test service similar to ssllabs where I can test the quality of my rate limiting?
Secondly, has anyone looked at the real world implications of refusing UDP? Especially with DNSSEC it seems TCP is more logical and a lot of DNS requests expecting a large response use TCP anyway.
Could we eliminate the DDoS threat by just turning off UDP?
Recursive servers I understand probably have to keep accepting them, but authoritative servers are only intended for recursive servers to query, so would it be safe to just drop port 53 UDP requests?
I hope that isn't too ignorant of a question.