Best practice on TCP replies for ANY queries

Hello everyone

I noticed some issues on one of DNS server I am managing. It was getting
queries for couple of attacking domains and server was replying in TCP with
3700 bytes releasing very heavy packets. Now I see presence of some
(legitimate) DNS forwarders and hence I don't wish to limit queries.

As I understand there are two ways here for fix:

   1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
   in every one min. (but again I have some forwarders with quite a few
   machines behind them).

   2. Other way is limiting TCP port 53 outbound size ...limiting to say
   600-700 bytes or so.

I am sure I am not first person experiencing this issue. Curious to hear
how you are managing it. Also under what circumstances I can get a
legitimate TCP query on port 53 whose reply exceeds a basic limit of less
then 1000 bytes?


I'm not a DNS guru so I don't have an exact answer. However my gut
feeling is that putting in a place a rule to drop or rate limit DNS
replies greater than X bytes is probably going to come back to bite you
in the future.

No one can predict the future of what will constitute legitimate DNS


Yeah I can understand. Even DNSSEC will have issues with it which makes me
worry about rule even today.

I think is better idea to rate-limit your responses rather than
limiting the size of them.

AFAIK, bind has a way to do it.


You don't mention what software you're using. If you're using BIND, ask this question on There is indeed a solution.


Hi Doug

I am using PowerDNS recursor.

If you are using BIND, take a look at:


dns-operations list is likely best suited for this question, but...

If using BIND 9.9.4 you can set the system to use TCP for repeated queries to prevent spoofed ones from being replied to (ie: use yourself as an amplifier).

There's lists of domains published that are used in abuse, eg:

You should restrict your DNS server (as much as possible) to only respond to your customer base.

If you are using microsoft dns, STOP. It has no way to restrict the clients it replies to queries for. Set up real software to forward to it which does the filtering and scoping for your space.

NSD and others also have the ability to configure rate-limiting, knowing what software you are using is an important key here for proper recommendations and guide pointers.

Good luck,

- jared

You are going to have to change your mind about this one. Open recursive
resolvers are a really bad idea, unless you can afford a lot of time and
cleverness to manage the abuse. Get your users to choose a more
appropriate name server, and restrict your name server to your local


The Internet will be a better place with less open resolvers around.



Also, open resolvers are harmful to the Internet, so it would not surprise
me to see organizations to begin blocking any communication with them by
published lists open recursive resolvers.

- - ferg.

The internet will be better without ISP refusing to apply BCP38.

    <end of comment>

    This is a pointless argument since the majority of the industry
prefer going after the <flavor of the month> UDP flood instead of
curbing the problem at its source once and for all.

I would restate this as "Network Operators" vs "ISPs".

If you operate a network and it allows spoofing internally, or facing your ISP, you are also at fault.

- Jared