Skip to content

feat: public anti-amplification — DNS Cookies (RFC 7873) + RRL slip/truncate + ANY-minimal (per-IP rate-limit already done) #203

Description

@redlemonbe

Already done (do not re-implement)

A per-source-IP / per-subnet token-bucket rate limit exists and is the baseline
anti-amplification control: src/dns/ratelimit.rs (1 s window, 65 536 buckets), config
rate-limit (q/s) + rate-limit-prefix-v4 (/24) / -v6 (/48), default ~200 q/s, applied on
both the kernel slow path and the XDP fast path via the shared rl_should_drop helper
(src/dns/server.rs, src/dns/kernel_loop.rs). Over-rate queries are answered Refused.
It already limits single-victim reflection (the spoofed source = the victim's IP → same bucket).

The real gap (this issue)

The public-resolver-grade anti-spoofing / anti-amplification pieces are not present
(verified: no cookie / slip / truncat / RRL / ANY-handling in the source):

  1. DNS Cookies (RFC 7873) — the key missing piece. A lightweight client/server cookie over
    UDP that proves the client isn't spoofing its source address. This is the single most
    effective, standard defence against reflection/amplification on a UDP resolver, and it's
    absent.
  2. RRL with SLIP / truncate — instead of dropping over-rate traffic, return TC=1 on a
    fraction (SLIP) so a legitimate client retries over TCP while a spoofed flood gets no
    amplification. A true RRL truncates; it doesn't just drop.
  3. ANY-query minimal responses — refuse / minimal / HINFO for qtype=ANY, the classic
    amplification vector.

Scope

  • DNS Cookies (RFC 7873): server-side secret, cookie echo/validation, BADCOOKIE + require-cookie
    policy for unverified clients on UDP.
  • RRL SLIP/leak-rate on top of the existing token bucket (truncate instead of drop).
  • ANY handling policy (minimal / refused), configurable.
  • Safe defaults when a public interface is detected; never expose plain :53 without cookies +
    RRL. (DoT/DoH are connection-oriented → not a spoofed-amplification vector.)

Status

Hard prerequisite for public exposure (issue for the encrypted public-resolver deployment
depends on this). The per-IP rate-limit baseline is done; this issue is the cookies + RRL-slip +
ANY layer on top.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions