1. Forum
  2. USENET
  3. comp.protocols.dns.bind

  • DNS_RRL_MAX_RATE defines 1000

    From =?utf-8?Q?=E7=A8=8B=E6=99=BA=E5=8B=87?=@chengzhycn@gmail.com to bind-users on Wed Jul 8 14:47:36 2020
    From Newsgroup: comp.protocols.dns.bind

    --5f056c0e_3a95f874_17b03
    Content-Type: text/plain; charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline

    Hi, all

    I deployed a cluster of DNS which combined with a master and two slaves r= ecently. I opened the response rate limiting function in slaves, which pa= rameters like below:

    rate-limit =7B
    =C2=A0=C2=A0 =C2=A0ipv4-prefix-length 32;
    =C2=A0=C2=A0 =C2=A0responses-per-second 250;
    =C2=A0=C2=A0 =C2=A0all-per-second 1000;
    =C2=A0=C2=A0 =C2=A0min-table-size 1000000;
    =C2=A0=C2=A0 =C2=A0max-table-size 5000000;
    =C2=A0=C2=A0 =C2=A0log-only no;
    =C2=A0=7D;

    But even with this configuration, there were still some dns queries dropp=
    ed cause the RRL. I viewed the rrl.h and noticed the max rrl rate are def=
    ined like this:

    =23define DNS=5FRRL=5FMAX=5FRATE 1000

    And =22all-rer-second=E2=80=9D shouldn=E2=80=99t larger than DNS=5FRRL=5F= MAX=5FRATE.

    So could anybody tell me why DNS=5FRRL=5FMAX=5FRATE defined 1000=3F And i=
    s there any other methods to bypass this limits=3F

    Thanks and Regards, Zhiyong Cheng

    --5f056c0e_3a95f874_17b03
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline

    <html xmlns=3D=22http://www.w3.org/1999/xhtml=22>
    <head>
    <title></title>
    </head>
    <body>
    <div name=3D=22messageBodySection=22>
    <div dir=3D=22auto=22>Hi, all<br />
    <br />
    I deployed a cluster of DNS which combined with a master and two slaves r= ecently. I opened the response rate limiting function in slaves, which pa= rameters like below:<br />
    <br />
    rate-limit =7B<br />
    &=23160;&=23160; &=23160;ipv4-prefix-length 32;<br />
    &=23160;&=23160; &=23160;responses-per-second 250;<br />
    &=23160;&=23160; &=23160;all-per-second 1000;<br />
    &=23160;&=23160; &=23160;min-table-size 1000000;<br />
    &=23160;&=23160; &=23160;max-table-size 5000000;<br />
    &=23160;&=23160; &=23160;log-only no;<br />
    &=23160;=7D;<br />
    <br />
    But even with this configuration, there were still some dns queries dropp=
    ed cause the RRL. I viewed the rrl.h and noticed the max rrl rate are def=
    ined like this:<br />
    <br />
    =23define DNS=5FRRL=5FMAX=5FRATE 1000<br />
    <br />
    And =22all-rer-second=E2=80=9D shouldn=E2=80=99t larger than DNS=5FRRL=5F= MAX=5FRATE.&=23160;<br />
    <br />
    So could anybody tell me why DNS=5FRRL=5FMAX=5FRATE defined 1000=3F And i=
    s there any other methods to bypass this limits=3F&=23160;<br />
    <br />
    Thanks and Regards, Zhiyong Cheng</div>
    </div>
    </body>
    </html>

    --5f056c0e_3a95f874_17b03--

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Tony Finch@dot@dotat.at to =?UTF-8?B?56iL5pm65YuH?= on Wed Jul 8 16:45:38 2020
    From Newsgroup: comp.protocols.dns.bind

    This message is in MIME format. The first part should be readable text,
    while the remaining parts are likely unreadable without MIME-aware tools.

    --1870870841-1705721839-1594223138=:9145
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: QUOTED-PRINTABLE

    =E7=A8=8B=E6=99=BA=E5=8B=87 <chengzhycn@gmail.com> wrote:

    So could anybody tell me why DNS_RRL_MAX_RATE defined 1000?

    RRL is designed for authoritative DNS servers. Legitimate queries come
    from recursive resolvers with caches. There should not be more than one
    query for each RRset from each resolver per TTL. So a normal response rate limit is relatively small - I set it to 10.

    If you are hitting 1000 queries per second, that implies either there
    are 1000 resolvers behind one IP address (which is VERY unlikely); or the
    query traffic is abusive.

    Are you sure the dropped traffic is legitimate?

    Tony.
    --=20
    f.anthony.n.finch <dot@dotat.at> http://dotat.at/
    Channel Islands: West to southwest 4 to 5, occasionally 6 mid-channel
    overnight and Thursday morning, occasionally west to northwest 2 to 4 in th=
    e
    far south of the area. Slight to moderate with a low swell, perhaps occasionally rather rough mid-channel until late morning. Occasional mist a=
    nd
    fog, especially overnight rain and drizzle at times, especially from Thursd=
    ay
    morning. Moderate to poor or very poor, locally good at times. --1870870841-1705721839-1594223138=:9145--
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Tony Finch@dot@dotat.at to Zhiyong Cheng on Thu Jul 9 19:11:44 2020
    From Newsgroup: comp.protocols.dns.bind

    Zhiyong Cheng <chengzhycn@gmail.com> wrote:

    We are using named cluster in our internal network as the authoritative
    DNS. So there are no cache servers between clients and named cluster.
    Maybe we should add one but it is just another story.

    Sorry, I wasn't completely clear: I was not saying that your authoritative servers should have a cache. I was saying that all the legitimate clients
    of your servers (the resolvers at ISPs areound the Internet) have caches.

    To my mind the RRL should not limit queries with different qnames from
    the same client. So is it my misunderstanding or wrong config?

    If you are querying for nonexistent names then RRL will treat the NXDOMAIN responses as equivalent, so it will rate-limit them. RRL limits responses,
    not queries. You can configure a different `nxdomains-per-second` limit if
    you want.

    Tony.
    --
    f.anthony.n.finch <dot@dotat.at> http://dotat.at/
    Rockall, Malin: Northwest 4 or 5. Moderate. Showers. Good.
    --- Synchronet 3.21d-Linux NewsLink 1.2