Infoblox Rate Limiting

RRL = Response Rate Limiting

You have to use the CLI to implment DNS rate limiting.

• DNS Rate Limit is used to protect the server from being overloaded by queries (e.g. protect against DDoS attacked and amplification attacks against another system).
• IP Rate Limit is when we protect the DNS server from being overwhelmed by responses to queries that it made (e.g. protect against cache poisoning).

Excessive, almost-identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks. Short BADCOOKIE errors or truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped responses by retrying, to BADCOOKIE errors by including a server cookie when retrying, and to truncated responses by switching to TCP.

This mechanism is intended for authoritative DNS servers. It can be used on recursive servers, but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing “open” recursive servers is better.

Response rate limiting uses a “credit” or “token bucket” scheme. Each combination of identical response and client has a conceptual “account” that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but which can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate-limited.

Enable RRL

set dns_rrl enable

Use the set dns_rrl command to configure RRL (Response Rate Limiting) settings for the Grid or members

Set for Grid Wide

set dns_rrl responses_per_second 100 log_only false window default slip 2 logging disable

The set ip_rate_limit commands enable and disable rate limiting UDP traffic from source port 53, configure rate limiting rules that control the traffic, and remove rate limiting rules. Once you enable rate limiting, the current rate limiting rules take effect.

Enable ip_rate_limit

set ip_rate_limit on

Block all traffic from 10.1.1.1

set ip_rate_limit add source 10.1.1.1 limit 0

Limit the traffic to five packets per minute from host 10.10.1.2/24, with an allowance for burst of 10 packets

set ip_rate_limit add source 10.10.1.2/24 limit 5/m burst 10