This topic describes Response Rate Limiting which is the Domain Name System (DNS) server functionality in Windows Server 2016 and 2019. It prevents the possibility of malicious systems using your DNS servers to initiate a denial of service attack on a DNS client.
By configuring RRL settings it can be controlled how to respond to requests to a DNS client when your server receives several requests targeting the same client. This will prevent someone from sending a Denial of Service (DoS) attack on your DNS servers. For instance, a botnet can send requests to your DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS servers might respond to all the requests, flooding the third computer. Using RRL, you can configure the following settings:
· Responses per second. This is the maximum number of times the same response will be given to a client within one second.
· Errors per second. This is the maximum number of times an error response will be sent to the same client within one second.
· Window. This is the number of seconds for which responses to a client will be suspended if too many requests are made.
· Leak rate. Determines how often the DNS server responds to queries if a client is in the suspension window. The leak rate is the number of queries it takes before a response is sent. A leak rate of 42 means that the DNS server only responds to one query out of every 42 when a client is in the suspension window period.
· TC rate. Tells the client to try connecting with TCP when the client is in the suspension window. The TC rate should be below the leak rate to give the client the option of attempting a TCP connection before a leak response is sent. This is used to tell the client to try connecting with TCP when responses to the client are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server will issue a request for TCP connection for every 3 queries received. Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses.
· Maximum responses. This is the maximum number of responses the server will issue to a client while responses are suspended.
· White list domains. This is a list of domains to be excluded from RRL settings.
· White list subnets. This is a list of subnets to be excluded from RRL settings.
· White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL settings.
Examples:
The Get-DnsServerResponseRateLimiting cmdlet displays response rate limiting (RRL) settings on a DNS server.
Command to display RRL settings on a DNS server
Get-DnsServerResponseRateLimiting or Get-DnsServerRRL
This command displays the RRL settings on the DNS server.
Command to set RRL Mode Enabled on a DNS serverSet-DnsServerResponseRateLimiting -Mode Enable
Command to set RRL parameters on a DNS server
Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8
Command to reset RRL settings to default values
Set-DnsServerResponseRateLimiting -ResetToDefault
Command to set RRL to LogOnly mode
Set-DnsServerRRL -Mode LogOnly
Add DNS Server Response Rate Limiting Exceptionlist:
The Add-DnsServerResponseRateLimiting cmdlet adds a Response Rate Limiting (RRL) exception list on the DNS server. The RRL exception list indicates that responses to queries for specified Fully Qualified Domain Names (FQDNs), queries originating from specified client subnets, queries received on specified server interfaces, or any combination of these values, are exempt from RRL.
Example: Add a domain to an RRL exception list
Add-DnsServerResponseRateLimitingExceptionlist -Name “SafeList1” -Fqdn “EQ,*.contoso.com”
This command adds an RRL exception for the domain contoso.com
Set-DnsServerResponseRateLimitingExceptionlist:
The Set-DnsServerResponseRateLimitingExceptionlist cmdlet updates the settings of a Response Rate Limiting (RRL) exception list.
Example: Set a RRL exception list
Set-DnsServerResponseRateLimitingExceptionlist -Name “SafeList1” -ServerInterfaceIP “EQ,10.0.0.1”
This command sets the ServerInterfaceIP value of the RRL exception list named SafeList1 to EQ,10.0.0.1.
Get RRL settings from a DNS server to set on a second server:
Get-DnsServerRRL -ComputerName “server1” | Set-DnsServerRRL -ComputerName “server2” -force
This command gets the RRL settings on server1 and sets the same settings on server2.