Configuring RRL Exception List for Microsoft DNS

Response Rate Limiting (RRL) helps mitigate the effects of DNS amplification attacks by limiting the rate at which responses are sent to clients. However, there might be certain clients or subnets that you want to exempt from these limits. Configuring an RRL exception list allows you to specify such exemptions.

The image below illustrates how an RRL exception list is configured for Microsoft DNS using DDI Central.

Here’s a step-by-step guide on how to configure it:

1. NAME: Assign a unique name for the new exception list. This helps to quickly identify the exception rule.
2. CONDITION: Select the logical condition to apply for the exception (AND/OR). It is this logical operator that determines how multiple criteria (subnets and FQDNs) should be evaluated for the exception.
3. ALLOW LIST DETAILS:
   • CLIENTSUBNET: Select the subnets from the list of configured clientsubnets that should be exempted from RRL.
   • FQDN: Specify the FQDNs that should be exempted from RRL. Use a comma to separate multiple entries.
4. DENY LIST DETAILS:
• CLIENTSUBNET: Select the client subnets that should not be exempted from RRL.
• FQDN: Specify the FQDNs that should not be exempted from RRL. Use a comma to separate multiple entries.
5. Click Save to apply the exception list settings.

By following these steps, you can effectively manage RRL exceptions in Microsoft DNS, ensuring that trusted clients and critical services are not impacted by rate limiting, while still protecting your DNS infrastructure from potential abuse.