Configuring DNS response rate limiting - BlueCat Address Manager - 8.3.1

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.1

Address Manager includes DNS response rate limiting to the DNS configuration in order to better guard against DDoS attacks. Response rate limiting is a method of limiting the rate of responses by a DNS server in order to reduce the impact of DNS reflection and amplification attacks.

It is intended for use on authoritative servers. These kind of attacks employ false source IP addresses which cannot be detected at a distance. DNS servers responding to queries from these IP addresses without rate limiting are at risk of sending a stream of very large responses to an IP address that did not solicit the responses. Response rate limiting sets a cap on the number of responses sent from the DNS server, effectively dampening the attack.

You can configure DNS response rate limiting by adding a DNS Raw Option from the Address Manager user interface. BlueCat recommends configuring this DNS Raw Option at the Server level.

To configure DNS response rate limiting:

  1. Log in to the Address Manager user interface as the admin.
  2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Under Servers, click a DNS server. The server’s Details tab opens.
  4. Select the Deployment Options tab.
  5. Under Deployment Options, click New and select DNS Raw Option.
  6. Under Value, enter the following in the Raw Data field:
    rate-limit {
        responses-per-second <value>;
        window <value>;
    };
    As a starting point, BlueCat recommends configuring DNS response rate limiting with the following parameters (values depend on your environment):
    • responses-per-second — the maximum number of times that a requester will be told the same answer within a one-second interval.
    • errors-per-second — similar to responses per second, but only applies to REFUSED, FORMERR and SERVFAIL response codes.
    • log-only — a testing mode in which responses are not actually dropped but standard logging still takes place (either true or false)
    • window — the period (in seconds) over which rates are measured and averaged.
    Note: Other configurable DNS RRL parameters are available. Contact BlueCat Customer Care for details, and to help you determine if these are applicable to your environment: https://care.bluecatnetworks.com
  7. Under Change Control, add comments, if required.
  8. Click Add.
  9. Deploy DNS.