[ratelimits] NSD RRL versus BIND RRL comparison test results

Paul Vlaar pvlaar at afilias.info
Fri Nov 23 11:56:13 UTC 2012 

Hi all,

I've done some testing using NSD with RRL versus BIND.

These are the versions used:

 NSD 3.2.14
 BIND 9.8.3-vjs197.16-P4

The query data is real world traffic for the isc.org and dlv.isc.org
zones, which we host for ISC on a dedicated address. I've done this on
one of our anycast instances that we run for this server. The 4 target
nameservers are running NSD + RRL, BIND + RRL, NSD w/o RRL and BIND w/o
RRL. The traffic is coming in at normal, real time speed.

I've setup a small system to count all ingoing queries and outgoing
replies using pcaps and dnstop on each server. Every 5 minutes a full
count is done and picked up by Cacti, of which the resulting graphs I
have attached here. I'm also graphing the bandwidth usage for each server.

Configuration settings:

 NSD
	rrl-ratelimit: 5
        rrl-size: 10000000

 BIND
       rate-limit {
                responses-per-second 5;
                window 15;
                slip 2;
        };

As I've just started collecting data and graphing there isn't much
history to show yet, but I wanted to share the initial results.

Doing some basic math according to the average replies versus queries
numbers recorded in the graphs shows me:

 NSD + RRL: ~4% reduction.
 BIND + RRL: ~6% reduction.

Note that when I first started experimenting with BIND + RRL back in
September we had a much higher rate of reduction due to relatively large
reflection attacks going on at the time.

When doing bursts of queries using dig from a client close to the
server, this is the result:

 NSD + RRL:

$ for i in {0..20} ; do dig +short +tries=1 +time=1 soa isc.org.
@${NSD_RRL_server} ; done
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; Truncated, retrying in TCP mode.
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; Truncated, retrying in TCP mode.
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; connection timed out; no servers could be reached
;; connection timed out; no servers could be reached
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; Truncated, retrying in TCP mode.
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; connection timed out; no servers could be reached

 BIND + RRL:

$ for i in {0..20} ; do dig +short +tries=1 +time=1 soa isc.org.
@${BIND_RRL_server} ; done
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; connection timed out; no servers could be reached
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; Truncated, retrying in TCP mode.
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; connection timed out; no servers could be reached
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; Truncated, retrying in TCP mode.
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; connection timed out; no servers could be reached
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600
;; connection timed out; no servers could be reached
ns-int.isc.org. hostmaster.isc.org. 2012112000 7200 3600 24796800 3600


What caught my attention as well is the difference in bandwidth used by
both daemons. This is most likely due to the high amount of DNSSEC + ANY
queries that we receive for the ISC zones and the way these are handled.
A typical breakdown over a 5 minute period on any of these servers looks
like this:

Query Type     Count      %   cum%
---------- --------- ------ ------
ANY?          181853   80.2   80.2
#32769?        40086   17.7   97.9
A?              1665    0.7   98.6
DS?             1097    0.5   99.1
AAAA?            623    0.3   99.4
A6?              572    0.3   99.6
DNSKEY?          285    0.1   99.7
NS?              187    0.1   99.8
SRV?              91    0.0   99.9
NSEC?             86    0.0   99.9
TXT?              48    0.0   99.9
SOA?              48    0.0   99.9
SPF?              48    0.0  100.0
#35?              33    0.0  100.0
MX?               23    0.0  100.0
RRSIG?            18    0.0  100.0
PTR?               6    0.0  100.0
#65323?            1    0.0  100.0

Where NSD will truncate, cutting off the additional section and
resulting in a message size of 3057 bytes when asked for ANY ISC.ORG
with DNSSEC turned on, BIND will include the additional section and this
results in 4049 bytes. I believe this accounts for the difference shown
in the bandwidth graph.

I've kept logs for both daemons showing RRL activity. If anyone is
interested I can forward these after some anonymization.

I hope this is interesting / useful to anyone.

	~paul

-- 
Paul Vlaar
Content Propagation and Resolution
Afilias

e-mail: pvlaar at afilias.info
phone: +1-416-673-4078
cell: +31-6-506-306-35
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-201211231215.png
Type: image/png
Size: 20785 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121123/2744058d/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-rrl-201211231215.png
Type: image/png
Size: 22019 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121123/2744058d/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nsd-201211231215.png
Type: image/png
Size: 20962 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121123/2744058d/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nsd-rrl-201211231215.png
Type: image/png
Size: 22580 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121123/2744058d/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bandwidth-comparison-201211231215.png
Type: image/png
Size: 51015 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20121123/2744058d/attachment-0009.png>

More information about the ratelimits mailing list