Abour RRL and Best Practise

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Abour RRL and Best Practise

Onur GURSOY
Hello Everyone,

Bind9 is a good product and benchmark.
It has good documentation especially about vulnerabilities.
I wonder one thing, nowadays,

For brute force, reflection, ampliciation and etc. attacks, there is prevention which is name response rate limit (RRL).
Question:
What is the default value rate-limit ? 
What is the best practise, best value for rate-limit clause .

Thanks in advance.
Have nice day and healthy day,
With best regards

--
Onur GÜRSOY
R&D Engineer in Embedded Systems
Master Student at Gebze Institute Of Technology
Department Of Electronic Engineering
GSM : 0(545) 764 7653
e-mail: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Abour RRL and Best Practise

@lbutlr
On 27 Nov 2020, at 00:00, Onur GURSOY <[hidden email]> wrote:
> <div class="gmail_default" style= "font-family:comic sans ms,sans-serif">Hello Everyone,</div>

Oh, come on!

--
"Are you pondering what I'm pondering?"
"Wuh, I think so, Brain, but if we didn't have ears, we'd look like
        weasels."
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Abour RRL and Best Practise

Tom J. Marcoen
In reply to this post by Onur GURSOY
Hey Onur,

I would guess it depends on your setup and how many traffic you
receive.  [1] gives
as an example a value of 10 responses per second, which I would say is
a good place
to start.  [5] gives a value of 5 responses per second and I get the
impression that
that is the value used by the F root servers.  You can always
implement RRL on one
of your authoritative name servers with a value of 10 and try lower
values if all
seems to be ok.

Both resources are from ISC so I would say they are good advice to start with.

PS: RRL is disabled by default so the default value is "0", meaning
"no limit" (see
the ARM for version 9.16.8 on page 73).

[1]: https://kb.isc.org/docs/aa-00994
[2]: https://conference.apnic.net/data/37/apricot-2014-rrl_1393309768.pdf

Best regards,
Tom

On Fri, 27 Nov 2020 at 08:00, Onur GURSOY <[hidden email]> wrote:

>
> Hello Everyone,
>
> Bind9 is a good product and benchmark.
> It has good documentation especially about vulnerabilities.
> I wonder one thing, nowadays,
>
> For brute force, reflection, ampliciation and etc. attacks, there is prevention which is name response rate limit (RRL).
> Question:
> What is the default value rate-limit ?
> What is the best practise, best value for rate-limit clause .
>
> Thanks in advance.
> Have nice day and healthy day,
> With best regards
>
> --
> Onur GÜRSOY
> R&D Engineer in Embedded Systems
> Master Student at Gebze Institute Of Technology
> Department Of Electronic Engineering
> GSM : 0(545) 764 7653
> e-mail: [hidden email]
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users