The rate-limit configuration in BIND (Berkeley Internet Name Domain) serves as a protective mechanism against DNS amplification attacks and excessive query loads. The parameters shown in your named.conf:
rate-limit {
responses-per-second 5;
window 5;
};This configuration means the server will:
- Allow a maximum of 5 responses per second to any single client IP address
- Calculate this limit over a sliding window of 5 seconds
This relatively strict configuration (5 responses/second) could affect:
- Recursive resolvers serving multiple clients
- Applications performing bulk DNS lookups
- Monitoring systems that perform frequent DNS checks
Troubleshooting symptoms include:
# Common error messages
client 192.168.1.100#12345: rate limit drop
client 203.0.113.45#54321: query (www.example.com) dropped (rate-limit)For most production environments, consider these adjusted values:
rate-limit {
responses-per-second 20;
window 15;
exempt-clients {
192.168.1.0/24;
10.0.0.0/8;
};
};Key considerations:
- 20 responses/second accommodates most normal traffic patterns
- 15-second window smooths out burst traffic
- exempt-clients allows internal networks to bypass limits
Use these commands to monitor rate-limiting effectiveness:
# View current statistics
rndc stats
grep "rate limit" /var/log/named.log
# Alternative for newer BIND versions
named-stats -c /etc/named.conf -s rate-limitFor debugging, temporarily increase logging:
logging {
channel rate-limit-log {
file "/var/log/named-rate-limit.log" versions 3 size 5m;
severity debug 3;
print-time yes;
};
category rate-limit { rate-limit-log; };
};BIND 9.16+ offers additional granular controls:
rate-limit {
responses-per-second 15;
window 10;
log-only yes; # Log but don't drop (testing phase)
slip 2; # Every 3rd query gets SERVFAIL instead of drop
min-table-size 10000;
qps-scale 50; # Auto-adjust based on server capacity
};Remember to reload after changes:
rndc reconfig
# Or full restart if needed
systemctl restart namedThe rate-limit configuration in BIND's named.conf controls how many responses your DNS server will send to clients within a specified time window. This is a critical security and performance feature that helps prevent:
- DNS amplification attacks
- Server resource exhaustion
- Unintentional query storms from misconfigured clients
rate-limit {
responses-per-second 5;
window 5;
};The configuration shown means:
- responses-per-second 5: Allows a maximum of 5 responses per second to any single client IP
- window 5: Tracks client activity over 5-second intervals (sliding window)
For most production environments, these values might be too restrictive. Consider:
- A busy recursive resolver serving multiple users behind NAT might exceed 5 queries/second
- Monitoring systems that perform frequent DNS checks could hit this limit
- Mobile apps with aggressive DNS caching might trigger rate limiting
For balanced protection without breaking normal operations:
rate-limit {
responses-per-second 20;
window 5;
exempt-clients { 192.168.1.0/24; }; // Internal network
nxdomain-multiplier 0; // Don't penalize NXDOMAIN responses
};To check if clients are being rate-limited:
rndc querylog
tail -f /var/log/named/queries.log | grep droppedLook for messages like:
client 203.0.113.45#12345: request dropped due to rate limiting
For large-scale deployments, consider these additional parameters:
rate-limit {
responses-per-second 30;
window 3;
errors-per-second 5;
referrals-per-second 0; // Disable referral rate limiting
slip 2; // Every 2nd query over limit gets SERVFAIL
};When adjusting rate limits, monitor:
- CPU usage during peak times
- Memory consumption in named.stats
- Query response times before/after changes