[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Rate limit for DNS over HTTPS

Thanks you for the clarification...

On Tuesday, 23 October 2018 19:24:16 UTC+5:30, Alex Dupuy wrote:
Thanks for your question, birajendu.

You wrote:
Is there any specific error code when this service hits rate limit, I have noticed few times 502 error, most of the time request timeout!

In the UDP cases, we just drop the DNS request, since there is no useful DNS response for rate limiting. Returning a NODATA response with the TC (truncated) flag set is useful for amplification limits to redirect legitimate clients to TCP and protect against reflection attacks, but when there are simply too many queries, moving the query load over to TCP would be counter-productive. Letting the query time out will naturally reduce the load, whereas returning a SERVFAIL error for a query to would often result in an immediate retry on or an IPv6 address (or worse, cause the entire resolution to fail).

For TCP and DNS-over-TLS, amplification limits don't apply, but the remainder of the logic is essentially the same. Since Google Public DNS can respond to queries on a TCP connection out of order, clients should be able to send other queries without waiting for the response to a previous one.

With DNS-over-HTTPS, we probably ought to be returning a 429 Too Many Requests error response with a Retry-After: 1 header rather than dropping queries.

You can file a feature request on our public issue tracker if you think this would be helpful.

You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/7ce725fe-b880-4aec-821f-b501f38acf31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.