New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Vernon Schryver
vjs at rhyolite.com
Thu Sep 19 23:42:44 UTC 2013
> From: Noel Butler <noel.butler at ausics.net>
> I have been using this since 9.9.4bx, and although documentation is/was
> lacking at the time, so there might be a whitelisting somewhere , but in
> its absence, I highly advise against using RRL if your mail servers use
> those DNS servers
I believe there been no significant changes to the RRL documentation
since long before any versions BIND 9.9.4.
BIND RRL has had whitelisting for trusted DNS clients that send repeated
DNS requests since early days, long before any version of BIND 9.9.4.
Look for 'exempt-clients{address_match_list};' in either the ARM that
comes with 9.9.4 or via the old link labeled "Draft text for BIND9
Administrators Reference Manual (ARM) describing DNS Response Rate
Limiting (RRL)" on the original ratelimits web page at
http://www.redbarn.org/dns/ratelimits
[ rate-limit {
...
[ exempt-clients { address_match_list } ; ]
...
} ; ]
...
DNS clients within a view can be exempted from rate limits with
the exempt-clients clause.
RRL is not recommend for recursive DNS servers, because in theory
it could squelch repeated requests from legitimate DNS clients
without caches such as some SMTP servers.
However, I do not recall reports of significant real, as opposed to
anticipated or minor problems with RRL on recursive DNS servers. The
worst that should happen is that legitimate clients will be slowed,
such as SMTP servers (mail receivers) receiving spews of spam or SMTP
clients (mail senders) spewing spam or without required DNSBL whitelisting.
A legitimate DNS client that is squelched by RRL will time-out every
other repeated request and (with the default SLIP=2) retry with TCP.
What problems did you see with your mail system and your recursive DNS
server with RRL?
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list