[ratelimits] CH/TXT/id.server queries rate-limited
paul vixie
paul at redbarn.org
Thu Oct 25 21:57:28 UTC 2012
On 10/25/2012 9:46 PM, Anand Buddhdev wrote:
> Hi,
>
> I've just upgraded our BIND server cluster to 9.9.2 with the rate-limit
> patch. I have two questions:
>
> a) I haven't enabled any rate-limit configuration in named.conf yet, but
> now I'm seeing this in the log:
>
> rate-limit: limit responses to x.y.0.0/16 for id.server CH TXT (00a3d4c4)
> rate-limit: limit responses to xxxx:yyyy::/32 for id.server CH TXT
> (00a3d4c4)
>
> Is this intentional?
yes. there's a default rate limit on id.server, version.bind, and
hostname.bind. these are otherwise really wonderful "orbiting death ray
platforms" that are built into almost every bind9 server on the internet.
> b) One just one server, I've now activated rate limits with:
>
> rate-limit {
> responses-per-second 10;
> nxdomains-per-second 0;
> max-table-size 40000;
> };
>
> 25-Oct-2012 21:34:32.850 rate-limit: limit responses to a.b.c.0/24 for
> ripe.net IN ANY (0002000e)
> 25-Oct-2012 21:34:35.059 rate-limit: stop limiting responses to
> a.b.c.0/24 for ripe.net IN ANY (0002000e)
> 25-Oct-2012 21:34:42.721 rate-limit: limit responses to a.b.c.0/24 for
> ripe.net IN ANY (0002000e)
> 25-Oct-2012 21:34:44.900 rate-limit: stop limiting responses to
> a.b.c.0/24 for ripe.net IN ANY (0002000e)
>
> It looks like rate-limits kick in for this network, but two or three
> seconds later the rate-limit is removed. There are many such log lines,
> showing the limit being removed around two seconds after it is first
> applied. I thought the limit would be enforced for at least "window"
> seconds. Have I misunderstood something?
this is fascinating. they're blinkering. you stop; they slow down. you
start; they speed up.
i'll leave it to vernon to answer what "window" should be set to for
this and what it means.
paul
More information about the ratelimits
mailing list