Can we expect unbound query rate liming (http://www.redbarn.org/dns/ratelimits) per client/source in future releases?
Response rate limiting is designed for authoritative name servers. It does not work well for recursive servers, because most recursive clients are cacheless so it is normal for them to repeat queries in a way that would be unreasonable for cacheing iterative clients. Response rate limiting is not just a per client query limit.
The way to secure a recursive server is to answer queries only from your network's IP addresses.
Tony.
That's a feature for authoritative DNS service. Myself, I highly
recommend and endorse those rate-limits for authoritative servers: in
particular, their patch for bind works really well.
Unbound is a _resolver_. It does not provide authoritative service
except as a local_data hack for splicing data in. The rate limit
concepts as defined on that page simply don't apply to Unbound.
You should not be providing recursive DNS service that's open to the
Internet.
See the "access-control:" directive.
If you're only providing recursive DNS service to your own customers,
then you can block packets with a source IP that claims to be your
customers at your border routers, so the spoofed traffic is blocked
before it even reaches your DNS servers.
What is your setup, that you need to have recursive service offered to
third-party networks, and what issues are you trying to solve?
-Phil
I know rate limiting was intended for authoritative servers but due to last weeks DDoS attacks towards Spamhaus I'd like to limit the rate of our users' queries (ISP, couple of /16 subnets).
Don't get me wrong - the servers are working as they should and are resolving records *just* for our supernets; but quite a few of the subscribers have an open resolver on their hands and are using our resolver as a forwarder. Just take a look of the attached picture of one of the few resolvers statistics.
bind has the dampening patch for these purposes, i believe. dont know how
it behaves in practice, but have heard good about it.
http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope