Bind DNS rate-limit and values for responses-per-second and window

Solution 1:

You should read the administrator reference manual for BIND 9.9.

Basically, responses-per-second is the number of identical replies that can be sent to one single destination, per second. The definitions are tricky.

A single destination is a block of network addresses, of the size configured in ipv4-prefix-length or ipv6-prefix-length as applicable. So, if the ipv4-prefix-length is 24, and both and are querying the DNS server, they will share this quota and can only send so many queries between the two of them.

Identical replies are replies to queries for a particular RRtype for a particular existent name, or for a nonexistent name. The following queries are all distinct:


However, all of the following queries are identical (assuming etc. live up to their names):


window complicates things a little more still. It is the number of seconds for which quota can be banked. Multiplying window and responses-per-second gives the maximum by which any quota can be positive, or in more basic terms, the burst capacity.

To give a catch-all example:

You are the nonrecursing, authoritative nameserver for Imagine no DNS traffic was seen at all in the past 10 seconds, and the configuration in the question applies globally. The following events happen sequentially:

  1. Host sends 100 queries for IN NS 25 will be allowed, and the remaining 75 will be ignored.
  2. Host sends 100 queries for IN A 25 will be allowed, and the remaining 75 will be ignored.
  3. Host sends 1 query for IN MX It will be ignored since the limit for nonexistent domains has been reached.
  4. Host sends 1 query for IN A It is allowed.
  5. Hosts through each send a single query for IN NS 25 of them get replies and the remaining 25 are ignored; the quota for does not apply to these hosts, but they share the quota for
  6. One second passes
  7. Hosts through repeat their query IN NS 5 of them get replies and the remaining 20 are ignored, since the quota is only replenished by 5 queries per second.

Solution 2:

It limits the number of identical responses a single DNS client can get in a second. The window 5 option allows a burst of 5*5 responses.

"Identical responses" and "single DNS client" are a bit non-obvious terms here, read this for more info: .

Generally it's a good thing to rate-limit - may help you in case of a DOS attack some day. The defaults should be OK for most cases.

Solution 3:

iptables -A INPUT -p udp --dport 53 -m recent --set --name dnslimit
iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 60 --hitcount 11 --name dnslimit -j DROP 

IPtables can work just as well. Keeps the traffic out of the service completely if an attack is found.