Windows/Cyber Security: Enable RRL to help mitigate DNS Amplification attacks

Created: 8/30/20

Updated: 8/30/20

All servers should have this enabled to help mitigate DNS Amplification Attacks, Linky: Source

Commands:

# Enables RRL on the DNS Server
Set-DNSServerRRL

# adds a RRL exception for the local domain w/ a “*” wildcard
Add-DnsServerResponseRateLimitingExceptionlist -Name “RRL Local Network – vpool.local” -Fqdn “EQ,*.vpool.local”

You can configure RRL settings to control how to respond to requests to a DNS client when your server receives several requests targeting the same client. By doing this, you can prevent someone from sending a Denial of Service (Dos) attack using your DNS servers. For instance, a bot net can send requests to your DNS server using the IP address of a third computer as the requestor. Without RRL, your DNS servers might respond to all the requests, flooding the third computer. When you use RRL, you can configure the following settings:

  • Responses per second. This is the maximum number of times the same response will be given to a client within one second.
  • Errors per second. This is the maximum number of times an error response will be sent to the same client within one second.
  • Window. This is the number of seconds for which responses to a client will be suspended if too many requests are made.
  • Leak rate. This is how frequently the DNS server will respond to a query during the time responses are suspended. For instance, if the server suspends responses to a client for 10 seconds, and the leak rate is 5, the server will still respond to one query for every 5 queries sent. This allows the legitimate clients to get responses even when the DNS server is applying response rate limiting on their subnet or FQDN.
  • TC rate. This is used to tell the client to try connecting with TCP when responses to the client are suspended. For instance, if the TC rate is 3, and the server suspends responses to a given client, the server will issue a request for TCP connection for every 3 queries received. Make sure the value for TC rate is lower than the leak rate, to give the client the option to connect via TCP before leaking responses.
  • Maximum responses. This is the maximum number of responses the server will issue to a client while responses are suspended.
  • White list domains. This is a list of domains to be excluded from RRL settings.
  • White list subnets. This is a list of subnets to be excluded from RRL settings.
  • White list server interfaces. This is a list of DNS server interfaces to be excluded from RRL settings.

Source: Microsoft