Configuring DNS response rate limiting - BlueCat Integrity - 9.5.0

Address Manager includes DNS response rate limiting to the DNS configuration in order to better guard against DDoS attacks. Response rate limiting is a method of limiting the rate of responses by a DNS server in order to reduce the impact of DNS reflection and amplification attacks.

1. Log in to the Address Manager user interface as the admin.
2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
3. Under Servers, click a DNS server. The server’s Details tab opens.
4. Select the Deployment Options tab.
5. Under Deployment Options, click New and select DNS Raw option.
6. Under Value, enter the following in the Raw Data field:

   rate-limit {
       responses-per-second <value>;
       window <value>;
   };

   As a starting point, BlueCat recommends configuring DNS response rate limiting with the following parameters (values depend on your environment):

   • responses-per-second — the maximum number of times that a requester will be told the same answer within a one-second interval.
   • errors-per-second — similar to responses per second, but only applies to REFUSED, FORMERR and SERVFAIL response codes.
   • log-only — a testing mode in which responses aren't actually dropped but standard logging still takes place (either true or false)
   • window — the period (any value in seconds from 1 to 3600) over which rates are measured and averaged.

   Note: For more information on DNS Response Rate Limiting, refer to https://kb.isc.org/docs/aa-00994. Other configurable DNS RRL parameters are available - contact BlueCat Customer Care for details and assistance in determining applicable parameters for your environment: https://care.bluecatnetworks.com
7. Under Change Control, add comments, if required.
8. Click Add.
9. Deploy DNS.