Already done (do not re-implement)
A per-source-IP / per-subnet token-bucket rate limit exists and is the baseline
anti-amplification control: src/dns/ratelimit.rs (1 s window, 65 536 buckets), config
rate-limit (q/s) + rate-limit-prefix-v4 (/24) / -v6 (/48), default ~200 q/s, applied on
both the kernel slow path and the XDP fast path via the shared rl_should_drop helper
(src/dns/server.rs, src/dns/kernel_loop.rs). Over-rate queries are answered Refused.
It already limits single-victim reflection (the spoofed source = the victim's IP → same bucket).
The real gap (this issue)
The public-resolver-grade anti-spoofing / anti-amplification pieces are not present
(verified: no cookie / slip / truncat / RRL / ANY-handling in the source):
- DNS Cookies (RFC 7873) — the key missing piece. A lightweight client/server cookie over
UDP that proves the client isn't spoofing its source address. This is the single most
effective, standard defence against reflection/amplification on a UDP resolver, and it's
absent.
- RRL with SLIP / truncate — instead of dropping over-rate traffic, return TC=1 on a
fraction (SLIP) so a legitimate client retries over TCP while a spoofed flood gets no
amplification. A true RRL truncates; it doesn't just drop.
ANY-query minimal responses — refuse / minimal / HINFO for qtype=ANY, the classic
amplification vector.
Scope
- DNS Cookies (RFC 7873): server-side secret, cookie echo/validation, BADCOOKIE + require-cookie
policy for unverified clients on UDP.
- RRL SLIP/leak-rate on top of the existing token bucket (truncate instead of drop).
ANY handling policy (minimal / refused), configurable.
- Safe defaults when a public interface is detected; never expose plain
:53 without cookies +
RRL. (DoT/DoH are connection-oriented → not a spoofed-amplification vector.)
Status
Hard prerequisite for public exposure (issue for the encrypted public-resolver deployment
depends on this). The per-IP rate-limit baseline is done; this issue is the cookies + RRL-slip +
ANY layer on top.
Already done (do not re-implement)
A per-source-IP / per-subnet token-bucket rate limit exists and is the baseline
anti-amplification control:
src/dns/ratelimit.rs(1 s window, 65 536 buckets), configrate-limit(q/s) +rate-limit-prefix-v4(/24) /-v6(/48), default ~200 q/s, applied onboth the kernel slow path and the XDP fast path via the shared
rl_should_drophelper(
src/dns/server.rs,src/dns/kernel_loop.rs). Over-rate queries are answeredRefused.It already limits single-victim reflection (the spoofed source = the victim's IP → same bucket).
The real gap (this issue)
The public-resolver-grade anti-spoofing / anti-amplification pieces are not present
(verified: no
cookie/slip/truncat/RRL/ANY-handling in the source):UDP that proves the client isn't spoofing its source address. This is the single most
effective, standard defence against reflection/amplification on a UDP resolver, and it's
absent.
fraction (SLIP) so a legitimate client retries over TCP while a spoofed flood gets no
amplification. A true RRL truncates; it doesn't just drop.
ANY-query minimal responses — refuse / minimal / HINFO forqtype=ANY, the classicamplification vector.
Scope
policy for unverified clients on UDP.
ANYhandling policy (minimal / refused), configurable.:53without cookies +RRL. (DoT/DoH are connection-oriented → not a spoofed-amplification vector.)
Status
Hard prerequisite for public exposure (issue for the encrypted public-resolver deployment
depends on this). The per-IP rate-limit baseline is done; this issue is the cookies + RRL-slip +
ANY layer on top.