Information
Responses to excessive, nearly identical UDP requests can be controlled by configuring a response rate-limit clause in an options or view statement. At this time, Response Rate Limiting is only recommended for authoritative servers.
Rationale:
The response rate limiting mechanism keeps an authoritative name server from being effectively used to amplify reflected distributed denial of service (DDoS) attacks. Short truncated responses will be sent when the rate-limited is exceeded. Legitimate non-spoofed clients will react to a dropped or truncated response by retrying with UDP or with TCP respectively. While the truncated or dropped responses to spoofed requests intended will greatly diminished the effectiveness of the attack.
Solution
To implement the recommended state, add or update a rate-limit clause in the server's options statement. Add a responses-per-second value of 5 or less, similar to the example below.
options {
. . .
rate-limit {
// Limit Response to Rapid Identical Queries for DDOS mitigation
responses-per-second 5;
. . .
};
Default Value:
Default value is 0 or no rate limit.