[ratelimits] ratelimiting /24 for <tld>
Tony Finch
dot at dotat.at
Fri Jul 6 17:59:18 UTC 2012
My toy name server is authoritative for a few zones and provides recursive
service for the machine it runs on. I have configured rate limiting in
case it gets attacked - the zones are signed. The only time the limiter
hits is for recursive service, but if I understand the logs correctly it
is using the TLD rather than the QNAME as the hash table key. For example,
05-Jul-2012 17:02:12.352 rate-limit: info: client 127.0.0.1#45990 (google.com): rate limiting /24 for com
05-Jul-2012 17:02:13.772 rate-limit: info: client 127.0.0.1#49967 (google.com): rate limiting /24 for com
05-Jul-2012 17:02:50.666 rate-limit: info: client 127.0.0.1#61454 (google.com): rate limiting /24 for com
05-Jul-2012 17:02:56.856 rate-limit: info: client 127.0.0.1#47649 (google.com): rate limiting /24 for com
05-Jul-2012 17:03:45.339 rate-limit: info: client 127.0.0.1#33859 (feeds.feedburner.com): rate limiting /24 for com
05-Jul-2012 17:03:55.705 rate-limit: info: client 127.0.0.1#60883 (feeds.feedburner.com): rate limiting /24 for com
05-Jul-2012 17:04:28.586 rate-limit: info: client 127.0.0.1#32788 (feeds.feedburner.com): rate limiting /24 for com
Earlier in my logs when I was testing it was using other names as indexes,
typicaly the zone apex of the QNAME, but not always. An interesting case
is:
11-Jun-2012 19:12:56.153 rate-limit: info: client 127.0.0.1#60633
(djfkjsdhf.dotat.at): rate limiting /24 for culture.dotat.at
The NXDOMAIN response includes the covering NSEC record with owner name
culture.dotat.at.
This looks like a bug to me. Should query_find() be passing
client->query.qname rather than fname to dns_rrl(), perhaps?
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Northerly or northwesterly 4 or 5, occasionally 6 in southeast.
Moderate or rough. Occasionally rain later in north. Good, occasionally
moderate later in north.
More information about the ratelimits
mailing list