[ratelimits] Limiting queries

Vernon Schryver vjs at rhyolite.com
Wed Oct 24 23:33:59 UTC 2012

> From: Job <Job at colliniconsulting.it>

> Hello, i am using Ratelimit patch 9.9.2.
> I have lots of flood resolving ripe.net.
> I tried with different combinations of window and responses-per-second.
> It correctly see drop packet or slip packet in logs, but it stops remote ip=
>  only for one second.
> It seems not reading the "window" value, because it waits always one second=
> , not more.

I do not understand.  What happens after the first second?
What messages appear in the rate-limit category?

> rate-limit {
>                        responses-per-second 15;
>                        window 20;
>                        all-per-second 5;
> }

When I try that rate-limit configuration, BIND 9.9.2 refuses to start 
and puts these messages into the system log:

    Oct 24 23:13:05 calcite named[20888]: /usr/home/vjs/isc/test/example/rrl:32: '{all-per-second 5;}' must be at least 4 times responses-per-second,errors_per_second, and nxdomains_per_second
    Oct 24 23:13:05 calcite named[20888]: loading configuration: out of range
    Oct 24 23:13:05 calcite named[20888]: exiting (due to fatal error)

] From: =?ISO-8859-1?Q?Matth=E4us_Wander?= <matthaeus.wander at uni-due.de>

] * Job [2012-10-24 23:35]:
] > Hello, i am using Ratelimit patch 9.9.2.
] > I have lots of flood resolving ripe.net.
] The RRL patch is meant to be used for authoritative servers. It is not
] recommended for recursive name servers (please correct me if I'm wrong).

The RRL patch is only recommended for recursive name servers, because
many DNS clients send substantial bursts of identical requests.
For example, an SMTP server (mail receiver) using a DNSBL and
receiving a burst of spam is likely to send DNS identical requests
for PTR, A, and often MX records related to the SMTP envelope and
headers as well as requests for A records related to the DNSBL.

However, with separate views distinct separate rate-limit{} statements
or the new exempt-clients{address_match_list}; clause for the rate-limit{}
statement, you can use the patch on DNS servers that answer authoritatively
and with rate limits to the world for some zones and recursively for
all domains and without or with very high rate limits to local customers.

Some people have reported success with the patch on open recursive
servers.  This is probably because legitimate applications that
repeat DNS requests only slow down and do not fail when rate limited.
You might not want your busy SMTP server to be slowed to 10 mail/second
by DNS rate limiting on DNSBL lookups, but would not care if a
user's web browser is slowed to 10 identical URLs/second

] You should restrict recursion to your internal IP address ranges, e.g.

Yes, if possible.

] If the source of the flood is from your internal network, use your
] internal abuse handling policy (warn user, pull cable, ...).

Yes, dealing with bad customers is better than merely defending
your own servers against them.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list