RRL, or Response Rate Limiting, is an enhancement to the DNS protocol which serves as a mitigation tool for the problem of DNS amplification attacks. At this time, RRL implementation is only recommended for authoritative servers.
DNS reply packets are usually larger than query packets and (depending on the question asked) can be much larger. By sending a question that is known to have a large reply packet, an attacker can multiply the effectiveness of attacking target machines by sending them garbage data. The attacker sends out a large number of DNS queries that are forged to look like they were sent by the victim, so that the large response packets get sent to that victim. This is the classic DNS DDoS. For more information on these attacks, please see: https://kb.isc.org/article/AA-00897/11/What-is-a-DNS-Amplification-Attack.html
Excessive nearly-identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used as part of a DNS amplification attack. If a response to a legitimate client is blocked, it will retry with UDP or TCP. The RRL mechanism is intended for authoritative name servers. While it will work on recursive servers, it is more likely to generate false positives there. Limiting access to a recursive server is a better means of preventing their abuse.
Once you have built an executable binary of BIND 9.9 that includes the Response Rate Limiter feature, the instructions for using it are the same as for BIND 9.10, and are documented in KB article AA-00994.
© 2001-2016 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.