Configuring RRL in DDI 

To configure it select DNS-> Config-> DNS Options

On the DNS options page, click on the Options drop down box to search for rate-limit option.

The rate-limit option appears with all its attributes. Fill in the values for each attribute and click Save.

Here are explanations for various attributes of the rate-limit option:

1. all-per-second: Limits the total number of all responses (regardless of type) per second.

2. errors-per-second: Limits the number of error responses (like SERVFAIL) per second.

3. ipv4-prefix-length and ipv6-prefix-length: Define the subnet mask length for aggregating IPv4 and IPv6 addresses. This dictates how broadly the rate limiting is applied across a range of IP addresses.
   For example, ipv4-prefix-length of 24 means that the server will apply rate limits to all addresses in each /24 subnet as a group. Therefore, all requests originating from the 192.168.1.0/24 subnet, for instance, would be collectively subject to the specified rate limit.

4. exempt-clients: Specifies clients (usually by IP address or subnet) that are exempt from rate limiting. This is often used for trusted networks.

5. log-only: When enabled, BIND logs the rate-limited responses without actually enforcing the limits. This is useful for testing the configuration.

6. max-table-size: The maximum number of entries in the rate-limiting table. A larger table can track more clients but requires more memory.

7. min-table-size: The minimum size of the rate-limiting table.

8. nodata-per-second: Limits the number of responses per second that result in NODATA (no error but no data).

9. nxdomains-per-second: Limits the number of NXDOMAIN (non-existent domain) responses per second.

10. qps-scale: A factor by which to scale the queries per second calculation. It can be used to adjust the sensitivity of rate limiting.

11. referrals-per-second: Limits the number of DNS referral responses per second.

12. responses-per-second: Limits the number of identical responses per second from a single IP address or subnet.

13. slip: Defines the behavior when a rate limit is exceeded. Typically, every nth response will be truncated.
    The slip setting determines how often the DNS server will send a truncated response instead of dropping the response entirely when rate limiting is in effect. A truncated response is a response that tells the querying client that it should retry the request over TCP instead of UDP. Since TCP connections require more resources to establish, attackers are less likely to use them, making DDoS attacks less effective.

Here’s a breakdown of the slip option:

1. Value 0: The server will drop all responses that exceed the rate limit.

2. Value 1: The server will send a truncated response for every request that exceeds the rate limit.

Values 2 and higher: The server will send truncated responses for one out of every 'slip' number of requests that exceed the rate limit. For example, if the slip value is set to 2, then the server will send a truncated response for every second request that exceeds the limit.

14. window: The time period, in seconds, over which BIND calculates the rate of identical responses for rate limiting.

Example

rate-limit {
    responses-per-second 10;
    window 5;
    ipv4-prefix-length 24;
    ipv6-prefix-length 48;
    slip 2;
    nxdomains-per-second 5;
    nodata-per-second 5;
    errors-per-second 2;
    all-per-second 20;
    max-table-size 100000;
    exempt-clients { 192.168.0.0/24; };
    log-only yes;
};
 

From the above configuration example, ME DDI will limit identical DNS responses to 10 per second over a 5-seconds window. If the limit is exceeded, DDI will start sending truncated responses every second request (split=2). The local network (192.168.1.0/24) is exempt from these limits, and the log-only setting means the limits will be logged but not enforced, which is helpful for initial testing.