none
Response rate Limiting RRS feed

  • Question

  • Hello,

    I would like to know benefits with response rate limiting? Is this option good way of securing DNS and when should we use it? 
    Thursday, August 17, 2017 1:16 PM

Answers

  • Hi,

    DNS clients and DNS servers are configured in such a way that when a DNS client requests an address it will put the result that it gets back from a DNS server in its cache for the time to live period of the record. Maybe it gets reverted, maybe that cache gets flushed so maybe it might need to request the same record again but what a DNS client shouldn’t be doing is it shouldn’t be repeatedly asking for the same record in a very short period of time.
    So what response rate limiting or RRL does is, it allows you to configure how a DNS server will respond in the event that a specific client or computers from a specifically defined subnet seem to be frequently requesting the same record over a short period of time. RRL is not the only security option in DNS and you should take a look at DNSSEC, disable recursion, secure dynamic updates etc. it all depends on your requirements. 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org

    • Marked as answer by Mark CooperFC Thursday, August 17, 2017 7:47 PM
    Thursday, August 17, 2017 1:38 PM
  • Yes they are still valid but you don't need to modify those. They are enabled by default. Server Cache Locking is already at 100 so no need to change that and socket pool have 2500 ports by default which is enough so no need to change it. RRL is optional feature and it is disabled because it is you who decide if you need it or not.

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org

    • Marked as answer by Mark CooperFC Thursday, August 17, 2017 7:47 PM
    Thursday, August 17, 2017 2:20 PM
  • Hi,

    When you enable it you can modify it so that policy fits your organization and/or if it is ok you can use default settings. Just to point that ResponsesPerSec –> This is the maximum number of times a server will send the same response per second to clients on a defined subnet. The default is 5 (responses per sec is what triggers the policy)

    Check this link to see what those options mean

    https://blogs.technet.microsoft.com/teamdhcp/2015/08/28/response-rate-limiting-in-windows-dns-server/

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org

    • Marked as answer by Mark CooperFC Thursday, August 17, 2017 7:47 PM
    Thursday, August 17, 2017 7:02 PM

All replies

  • Response rate limiting looks promising. We was not looking to implement DNSSEC not yet. I think that disable recursion is not the option because if we disable it, it will also disable browsing to the internet so that one is not working for us. We already have secure dynamic updates. Do you know if Socket Pool and Server Cache Locking are still valid? 

    I can see that response rate limiting is disabled by default so that means that this option is not standard in securing DNS.

    Thursday, August 17, 2017 2:08 PM
  • Do we need to configure it or just enable it. If I enable it how it will work? Do we need to modify those parameters or just accept the defaults? What those mean? 
    Thursday, August 17, 2017 5:30 PM