Rate limit for DNS over HTTPS

165 views
Skip to first unread message

Birajendu Sahu

unread,
Oct 8, 2018, 12:22:45 PM10/8/18
to public-dns-discuss
What is the QPS rate limit for https://dns.google.com/query? .

I have observed different rate limits for my testes in different Geo locations, but wanted to confirm before implementing in my application. here we may end up requesting more than 1000 requests for seconds from same large organisation ip. If ther is a rate limit how to overcome that?


Thanks and Regards,
Birajendu


Alex Dupuy

unread,
Oct 10, 2018, 10:22:24 AM10/10/18
to public-dns-discuss
You can request an increased rate limit at https://issuetracker.google.com/issues/new?component=191885&template=1024641.

Note that there are multiple internal limits besides the raw QPS, so that even with an increased limit, some queries may be dropped, depending on usage patterns.

bira...@netskope.com

unread,
Oct 15, 2018, 1:43:25 PM10/15/18
to public-dns-discuss
Is this rate limit is 100 QPS as limited for 8.8.8.8 DNS server?

Alex Dupuy

unread,
Oct 17, 2018, 9:27:38 AM10/17/18
to public-dns-discuss
Rate limits are applied equally for UDP and HTTPS transports, but HTTPS traffic is also subject to general Google web service limits.

bira...@netskope.com

unread,
Oct 23, 2018, 9:09:10 AM10/23/18
to public-dns-discuss
Is there any specific error code when this service hits rate limit, I have noticed few times 502 error, most of the time request timeout!

Alex Dupuy

unread,
Oct 23, 2018, 9:54:16 AM10/23/18
to public-dns-discuss
Thanks for your question, birajendu.

You wrote:
Is there any specific error code when this service hits rate limit, I have noticed few times 502 error, most of the time request timeout!

In the UDP cases, we just drop the DNS request, since there is no useful DNS response for rate limiting. Returning a NODATA response with the TC (truncated) flag set is useful for amplification limits to redirect legitimate clients to TCP and protect against reflection attacks, but when there are simply too many queries, moving the query load over to TCP would be counter-productive. Letting the query time out will naturally reduce the load, whereas returning a SERVFAIL error for a query to 8.8.8.8 would often result in an immediate retry on 8.8.4.4 or an IPv6 address (or worse, cause the entire resolution to fail).

For TCP and DNS-over-TLS, amplification limits don't apply, but the remainder of the logic is essentially the same. Since Google Public DNS can respond to queries on a TCP connection out of order, clients should be able to send other queries without waiting for the response to a previous one.

With DNS-over-HTTPS, we probably ought to be returning a 429 Too Many Requests error response with a Retry-After: 1 header rather than dropping queries.

You can file a feature request on our public issue tracker if you think this would be helpful.

Birajendu Sahu

unread,
Oct 23, 2018, 5:44:02 PM10/23/18
to public-dns-discuss
Thanks you for the clarification...

George Ge

unread,
Nov 25, 2018, 9:30:38 PM11/25/18
to public-dns-discuss
Hi, Alex.
Here is my issue for an increase in rate limit: https://issuetracker.google.com/issues/119839388.
Is it correctly proposed?

在 2018年10月23日星期二 UTC+8下午9:54:16,Alex Dupuy写道:
Reply all
Reply to author
Forward
0 new messages