Dice Question Streamline Icon: https://streamlinehq.com

Verify global rate limiting on DNS anycast infrastructures

Determine whether the anycast infrastructure of at least one large public recursive DNS provider enforces a global rate limiting across all anycast instances, rather than only local per-instance limits, by assessing whether concurrently issued, geographically distributed queries (e.g., via transparent DNS forwarders) are collectively constrained at a global level.

Information Square Streamline Icon: https://streamlinehq.com

Background

The paper investigates how transparent DNS forwarders can be orchestrated to bypass local rate limits at public recursive DNS resolvers, particularly those deployed via IP anycast by providers such as Google and Cloudflare. Measurements consistently revealed local (per-instance) rate limiting behavior that attackers could circumvent by distributing queries across multiple anycast points of presence.

In the discussion, the authors note that at least one large DNS provider claims to deploy global rate limiting across its anycast infrastructure. However, due to ethical constraints, the authors did not verify whether such global rate limiting is actually enforced, leaving open whether global, cross-PoP limits can prevent orchestration-based bypasses of local rate limits.

References

We know at least one large DNS provider that claims to protect its a anycast infrastructure by implementing a global rate limiting. We were not able to verify this because of ethics considerations.

Forward to Hell? On the Potentials of Misusing Transparent DNS Forwarders in Reflective Amplification Attacks (2510.18572 - Koch et al., 21 Oct 2025) in Section 9 (Discussion), Over- or underestimation of the threat landscape