# BIND DNS RRL, and Recursion vs Forwarding



## dkovacevic (Jun 13, 2013)

Would implementing response rate limiting (DNS RRL) on BIND cause loss of legitimate traffic? For example, if only 5 responses are allowed per second, and ALL of these responses are in response to an attack, won't legitimate packets be harmed as a result? Or does â€œallow x responses per secondâ€ actually mean â€œallow x responses per second per destination IPâ€?

Next, how are â€œforwardingâ€ and â€œrecursionâ€ related in BIND? Specifically, I am having trouble with this example scenario:

NS server 1: hostname ns1, IP 192.168.1.227, authoritative for domain â€œexample.orgâ€. Forwarding is enabled to IP 192.168.1.240.
NS server 2: hostname ns2, IP 192.168.1.240, authoritative for domain â€œtest.orgâ€. Forwarding is enabled to IP 192.168.1.227.
In each named.conf global options section, recursion is set to 'no'. In the same section, â€œallow-queryâ€ is set to 192.168.1.0/24.
When doing `nslookup` queries on each of these servers for the fully qualified domain name of the other server from a host in that IP range: `nslookup ns1.example.org 192.168.1.240` I get messages like these in the log:

```
client 192.168.1.124#9153: query (cache) 'ns1.example.org/A/IN' denied
```
But if the recursion option is enabled for the 192.168.1.0/24 range on the same server (192.168.1.240 in this example), the query is allowed through.

Why must I enable recursion when I've already enabled forwarding to the other server?


----------



## ShelLuser (Jun 13, 2013)

I can't comment on the RRL aspect, but with regards to forwarding and recursion I do wonder how you enabled forwarding?


----------



## kpa (Jun 13, 2013)

Recursion in DNS lingo means resolving queries for other domains than the server is authoritative for. If you don't allow recursion your server will answer only queries for its "own" domains. The recursive queries may be answered by asking the forwarders (if you have set up forwarders) or by asking the authoritative servers of the queried domain.


----------



## dkovacevic (Jun 13, 2013)

Ah, that explains a lot.

For some reason, I was under the impression that enabling recursion simply enabled the process of tracking down a fully qualified domain name starting at a root server. I did not realize that recursion also meant resolving queries for targets other than the domain the server is authoritative for.

Thanks!


----------



## dkovacevic (Jun 13, 2013)

In answer to the rate limiting question:


> By keeping a moderate amount of state as to what requestor has heard what response recently it is possible to silently drop requests which are part of attack flows with little or no impact on non-attack requests.


From http://ss.vix.su/~vixie/isc-tn-2012-1.txt.


----------

