[ratelimits] BIND9 DNS rate limit logging

Vernon Schryver vjs at rhyolite.com
Sat Jul 7 12:47:12 UTC 2012

> From: =?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?= <paf at frobbit.se>

> One thing I have been looking for is "counting" both the number
> of blocked queries and the number of intervals where blocking occurs.
> And today we get the number of "windows", as we get the log entry
> when the window "opens" (i.e. when queries starts to get dropped
> in that window). You suggest getting data in the query category for
> also dropped queries which is good, but, it feels complicated to
> be forced to save the query category just to do the counting.
> Could one also get a log entry when a window is opened again (i.e.
> when the blocking for that window stops) where also the cumulative
> number of dropped queries according to that window rule has been counted?

Counters seem reasonable and possible, but I'm not sure how many there
should be.  I think these events might be counted:
   - dropped ordinary response
   - dropped NXDOMAIN response
   - dropped other error response
   - 'slipped' (TC=1) ordinary response
   - 'slipped' (TC=1) NXDOMAIN response
Do you want 5 counters, one for each type of action, 1 counter 
for all of them together, or an intermediate number of counters?
It would be easiest to have 1 counter for everything, or perhaps 2
counters, 1 for dropped other error responses and a second for
everything else.

Logging when a window is opened again sounds interesting, but
expensive.  The rate limiting machinery is triggered only by requests
and responses.  There are no timers and nothing happens in their
absence.  Doing something such as logging when a window opens would
require waking up spontaneously and examining the entire rate limiting
database.  Another complication is ensuring that a log entry is made
when an active bucket is stolen or recycled.  Hidden complications
include locking, shutting down and starting the timer upon `rndc reload`.
It wouldn't be hard, but ...

I propose to change the code to log all drops or slips (TC=1) in the
"queries" category and the start of dropping of a stream of responses
in the "rate-limit" category.  It repeats the "rate-limit" log entry
once every 60 seconds while the dropping of that stream continues so
that a continuing attack is not missed as log files are rotated.
Is 60 seconds too often or not often enough?

Would the ending of 60 (?) second still rate limit messages be good enough
to mark the opening of a window?

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list