Configuring DNS response rate limiting - BlueCat Integrity - 9.5.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.5.0

Address Manager includes DNS response rate limiting to the DNS configuration in order to better guard against DDoS attacks. Response rate limiting is a method of limiting the rate of responses by a DNS server in order to reduce the impact of DNS reflection and amplification attacks.

It's intended for use on authoritative servers. These kinds of attacks employ false source IP addresses which can't be detected at a distance. DNS servers responding to queries from these IP addresses without rate limiting are at risk of sending a stream of very large responses to an IP address that didn't solicit the responses. Response rate limiting sets a cap on the number of responses sent from the DNS server, effectively dampening the attack.

You can configure DNS response rate limiting by adding a DNS Raw option from the Address Manager user interface. BlueCat recommends configuring this DNS Raw option at the Server level.

To configure DNS response rate limiting:

  1. Log in to the Address Manager user interface as the admin.
  2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Under Servers, click a DNS server. The server’s Details tab opens.
  4. Select the Deployment Options tab.
  5. Under Deployment Options, click New and select DNS Raw option.
  6. Under Value, enter the following in the Raw Data field:
    rate-limit {
        responses-per-second <value>;
        window <value>;
    };
    As a starting point, BlueCat recommends configuring DNS response rate limiting with the following parameters (values depend on your environment):
    • responses-per-second — the maximum number of times that a requester will be told the same answer within a one-second interval.
    • errors-per-second — similar to responses per second, but only applies to REFUSED, FORMERR and SERVFAIL response codes.
    • log-only — a testing mode in which responses aren't actually dropped but standard logging still takes place (either true or false)
    • window — the period (any value in seconds from 1 to 3600) over which rates are measured and averaged.
    Note: For more information on DNS Response Rate Limiting, refer to https://kb.isc.org/docs/aa-00994. Other configurable DNS RRL parameters are available - contact BlueCat Customer Care for details and assistance in determining applicable parameters for your environment: https://care.bluecatnetworks.com
  7. Under Change Control, add comments, if required.
  8. Click Add.
  9. Deploy DNS.