Configuring DNS Response Rate Limiting (RRL) settings 

Response Rate Limiting (RRL) is a security feature designed to mitigate the impact of DNS amplification attacks by limiting the rate of responses a DNS server can send to a client. Configuring RRL settings helps protect your DNS infrastructure from abuse and ensures fair usage. 

 

The image below illustrates how DNS RRL setting can be easily configured for your Microsoft DNS environment using DDI Central.

 

 

Steps to configure RRL settings in DDI Central

You can enhance the security and performance of your Microsoft DNS infrastructure by following the steps specified below to configure DNS RRL settings:

 

1. Get into the DNS module. 

 

2. Select the Config menu.
    
3. On the Configuration page navigate to the DNS RRL tab.
    
4. Now navigate to DNS RRL Settings. Click Add DNS RRL Settings.
    
5. On the Add DNS RRL Settings dialog box, enter the following essential details below:

 

6. RESPONSES PER SECOND: Enter the maximum number of responses the DNS server is allowed to send to a single IP address per second. Example: Setting this to 1 means only one response per second per IP address.
    
7. ERRORS PER SECOND: Enter the maximum number of error responses (e.g., NXDOMAIN) the DNS server can send to a single IP address per second. Example: Setting this to 20 means up to twenty error responses per second per IP address.
    
8. WINDOW IN SECONDS: Specify the time window in seconds over which the responses are counted. Example: Setting this to 8 means the DNS server will count responses over an 8-second window.
    
9. IPV4 PREFIX LENGTH: Specify the prefix length of IPv4 addresses used for rate limiting. Example: Setting this to 24 means rate limiting will apply to the /24 subnet of the source IP address.
    
10. IPV6 PREFIX LENGTH: Specify the prefix length of IPv6 addresses used for rate limiting. Example: Setting this to 56 means rate limiting will apply to the /56 subnet of the source IPv6 address.
     
11. LEAKRATE: Mention the rate at which excess responses are allowed to "leak" through even when the limit is exceeded. Example: Setting this to 3 means that every third excess response will be allowed through.
     
12. TRUNCATE RATE: Mention the rate at which responses are truncated (i.e., set the TC bit) when the limit is exceeded. Example: Setting this to 2 means that every second excess response will be truncated.
     
13. MAXIMUM RESPONSES PER WINDOW: Specify the maximum number of responses allowed within the specified time window. Example: Setting this to 5 means a maximum of five responses per window per IP address.
     
14. RRL MODE: EnableThe mode of the RRL setting. Options:
    Enable: Activates the RRL feature.
15. Disable: Deactivates the RRL feature.

 

14. Click Save to finalize the DNS RRL Settings.
     
15. You can Edit or Modify the settings later using the Edit and Delete buttons respectively.

Benefits of configuring DNS RRL

1. Mitigates DNS amplification attacks: By limiting the rate of responses, RRL helps protect your DNS server from being used in amplification attacks.
    
2. Ensures fair usage: Prevents any single client from monopolizing server resources by imposing limits on the number of responses.
    
3. Improves server performance: Helps maintain overall server performance by preventing excessive load from malicious or misconfigured clients.