[ratelimits] No response repeated queries
Vernon Schryver
vjs at rhyolite.com
Mon Sep 24 05:21:36 UTC 2012
> From: Pete Ashdown <pashdown at xmission.com>
> > "slip 0;" turns off substituting truncated responses instead of
> > dropping responses.
>
> For only duplicates, or for everything?
The RRL patch limits distinct responses independently. A stream
of responses for a particular name and record type from a given
client CIDR block are dropped or converted to truncated responses
('slipped') independently of other responses.
> Is a slip response only in regards to a duplicate? If a victim IP address is
> being spoofed for isc.org, and they do a legitimate request for a non-isc.org
> address, is it allowed through if I have slip=0?
The RRL patch is not about watching for burst of requests matching
a pattern and then blocking everything with a simplistic firewall rule.
Instead, the RRL patch limits streams of responses (not requests)
of functionally identical name, type, and client CIDR block.
Responses for some other name, another type, or other IP address
block are counted and rate limited independently.
Responses are limited with what might be called a database of
independent records keyed by (qtype, qname, IP address block).
The records including timers, counters for normal responses, NXDOMAIN
errors, other errors, and for handling "slip", and so forth.
The keys and records are defined in the lib/dns/include/dns/rrl.h file.
Of course, that independence assumes that the DNS server is not being
hit by more than max-table-size distinct requests per window seconds.
It also ignores indirect effects such as lots of CPU cycles and bandwidth
spent on one stream might slow handling of other requests.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list