[ratelimits] rate limiting recursive server

Joe Abley jabley at hopcount.ca
Tue Apr 16 21:33:29 UTC 2013


On 2013-04-16, at 17:25, Patrick W. Gilmore <patrick at ianai.net> wrote:

> Pardon me if this has been asked before, but I can't find it in my archives. (Haven't been on the list that long.)
> 
> We have a recursive server we need to leave open for diagnostic purposes. It is running BIND. Is there a way to limit it to a few qps so it cannot be used (effectively) as an amplifier?
> 
> Obviously RRL is not designed for recursive servers, although I've heard of a few people putting it on them. I'm not even sure it would do what they think it would do. Hence the question here.

RRL is not recommended for general-purpose production resolvers because it's common for non-caching stub resolvers to many send queries that generate an identical response in short succession (think open facebook page), and it would be an error to treat that traffic as unwanted.

(RRL is applicable to authority-only servers because there's an expectation that clients of authority-only servers cache responses, and hence characterising query patterns that give identical responses within a small window as unwanted is more reasonable.)

It sounds like what you're talking about is not a production resolver, but rather a test box that you can control the query stream to. If that's the case I would think you're good to run RRL with whatever parameters match your expected client behaviour.


Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130416/94d0b77a/attachment.pgp>


More information about the ratelimits mailing list