UnboundRatelimitForDomains

By admin
Unbound is a common resolving

DNS
ORG

server; we use it ourselves on our local recursive

DNS
ORG

resolvers. For a long time,

Unbound
ORG

has had the ability to set ratelimits, as covered in the unbound.conf manual page. These ratelimits have historically been a little complicated to understand (for example), and the situation is still not completely clear in the current (

September 2023
DATE

) documentation.

Unbound can have both a global ratelimit, set with ‘ ratelimit ‘, and

one
CARDINAL

or more different rate limits for different areas of the

DNS
ORG

.

These days
DATE

, there are

two
CARDINAL

directives for ratelimits of specific

DNS
ORG

areas, which I will quote more or less directly from the documentation:

ratelimit-for-domain Override the global ratelimit for an exact match domain name with the listed number. You can give this for any number of names. For example, for a top-level-domain you may want to have a higher limit than other names. A value of

0
CARDINAL

will disable ratelimiting for that domain. ratelimit-below-domain Override the global ratelimit for a domain name that ends in this name. You can give this multiple times, it then describes different settings in different parts of the namespace. The closest matching suffix is used to determine the qps limit. The rate for the exact matching domain name is not changed, use ratelimit-for-domain to set that, you might want to use different settings for a top-level-domain and subdomains. A value of

0
CARDINAL

will disable ratelimiting for domain names that end in this name.

There is also a sample configuration with commented examples that may be worth reading.

How ‘ ratelimit-below-domain ‘ works seems obvious from the text of the documentation (which doesn’t mean my impression is correct). It presumably works by textual matching against the

DNS
ORG

name you used in your query, where the query is ‘below’ this if its name ends in ‘.<domain>’. As the documentation says, direct queries for ‘<domain>’ are not ‘below’ and aren’t covered. However, it is possible that this is incorrect and it’s actually defined in terms of

DNS
ORG

zones, where it applies to queries in

DNS
ORG

zones that are below the DNS zone of the domain you list.

This leaves me with the question of what ‘ ratelimit-for-domain ‘ really applies to, because there are

two
CARDINAL

answers. The

first
ORDINAL

is that it is a purely textual match; if you have a ratelimit-for-domain on example.com, only

DNS
ORG

queries where the query name is exactly ‘example.com’ match, which is generally not going to be too many of them. The

second
ORDINAL

answer, which is more natural in a

DNS
ORG

sense, is that the ratelimit applies to everything in the ‘example.com’ DNS zone, but not anything that requires following a

NS
ORG

record out of it. Often, although not always, ‘DNS zone’ is what

DNS
ORG

people mean when they say ‘domain’ in a DNS context.

(Reading my

2016
DATE

entry on the old state of ratelimit-for-domain suggests that at that point it was based on the zone, since it was logging messages about ratelimiting a query for ‘www.utoronto.ca’ when the ratelimit-for-domain was ‘utoronto.ca’. That might have been changed when ratelimit-below-domain was added.)

Unfortunately I don’t know of any good way to find out the answer (reading the

Unbound
LOC

source doesn’t quality). I guess I could set up a test Unbound with extremely low limits for some test names and see what gets logged.

I suspect that this mostly doesn’t matter in practice, and certainly it doesn’t for us. In most situations you probably want to use either ratelimit-below-domain (which is probably what you mean) by itself, or set both to the same value (including setting no limit, which is explicitly supported

these days
DATE

but didn’t used to be):

ratelimit-for-domain: utoronto.ca 0 ratelimit-below-domain: utoronto.ca 0

If ‘ratelimit-for-domain’ works by textually matching the

DNS
ORG

name in the query, I think you could also use it to mostly block

DNS
ORG

resolution for some specific name that clients are pounding on repeatedly:

ratelimit-for-domain: sync-debug.dev.example.org 1

If it works by DNS zone, I’m not sure this is possible unless the name you want to stop flooding you with is in its own

DNS
LOC

zone.