Share via

SetDnsServerRRL method of the PS_DnsServerResponseRateLimiting class

  • Article

Sets the response rate limiting on a DNS server.

Syntax

uint32 SetDnsServerRRL(
  [in]  uint32                        ResponsesPerSec,
  [in]  uint32                        ErrorsPerSec,
  [in]  uint32                        WindowInSec,
  [in]  uint32                        IPv4PrefixLength,
  [in]  uint32                        IPv6PrefixLength,
  [in]  uint32                        LeakRate,
  [in]  boolean                       ResetToDefault,
  [in]  uint32                        TruncateRate,
  [in]  uint32                        MaximumResponsesPerWindow,
  [in]  string                        Mode,
  [in]  string                        ComputerName,
  [in]  boolean                       PassThru,
  [in]  boolean                       Force,
  [out] DnsServerResponseRateLimiting cmdletOutput
);

Parameters

ResponsesPerSec [in]

The maximum number of times that a requestor will be told the same answer within a one-second interval.

ErrorsPerSec [in]

This is similar to RESPONSES-PER-SECOND but applies only to the REFUSED, FORMERR and SERVFAIL response codes.

WindowInSec [in]

This is the period (in seconds) over which rates are measured and averaged for RRL. RRL will be applied if queries from same subnet, resulting in same response occur more frequently than expected in a specified time window. The default value is 5.

IPv4PrefixLength [in]

Requestor IP (version 4) addresses are grouped into buckets of size (32 - IPV4-PREFIX-LENGTH) ^ 2.

IPv6PrefixLength [in]

Requestor IP (version 6) addresses are grouped similarly to IP (version 4) addresses.

LeakRate [in]

When a query would be dropped due to rate limiting, the server randomly responds anyway once per LEAK-RATE queries. This gives the victim whose IP address is being forged some chance of getting an answer even during a flood of forgeries. LEAK-RATE should be from 2 to 10 and should approximate the real victim's retry count on a legitimate query. If LEAK-RATE is set to zero then this behavior is disabled.

ResetToDefault [in]

This parameter sets all the RRL settings to their default values.

TruncateRate [in]

When a query would be dropped due to rate limiting, the server randomly send back a truncated response instead once per TC-RATE queries. This tells a victim whose address is being forged to retry using TCP. It's recommended that TC-RATE be set lower than LEAK-RATE. If TC-RATE is set to zero then this behavior is disabled.

MaximumResponsesPerWindow [in]

The maximum responses that will be sent for a subnet-domain tuple in a window. This will be useful in putting an upper limit on responses in cases where leak rates are leading to reflection attack

Mode [in]

The mode of operation.

The possible values are.

"LogOnly"

"Enable" (default)

"Disable"

ComputerName [in]

Optional DNS server name.

PassThru [in]

true to return the current instance in the CmdletOutput parameter. The default is false.

Force [in]

True to not require user confirmation before continuing with the operation; false to require user confirmation. The default value is false.

cmdletOutput [out]

On return, contains a DnsServerResponseRateLimiting object that contains the RRL for a DNS server.

Requirements
Minimum supported client
 None supported
Minimum supported server
 Windows Server 2016
Namespace
 Root\Microsoft\Windows\Dns
MOF
DnsServerPSProvider.mof
DLL
DnsServerPSProvider.dll

See also

PS_DnsServerResponseRateLimiting