[ratelimits] Extending RRL to refused recursive queries

Vernon Schryver vjs at rhyolite.com
Wed Apr 17 16:32:50 UTC 2013

> From: shawmplayer at yahoo.com

> read the code it was apparent that refused recursion queries never pass 
> through through it. 

What about the rate limiting that is applied to REFUSED and all error
responses except NXDOMAIN in ns_client_error() in bin/named/client.c?
In other words, what if you set
    rate-limit {
        errors-per-second 1;
and perhaps also
        slip 0;
in your external view?
That should limit all /24 blocks to at most 1 REFUSED response per second.

A quick test using an ISP shell account against my DNS server suggests
that REFUSED rate limiting is not broken in the version of BIND that
I'm using today:

    % repeat 12 dig +short +tries=1 +novc +timeo=1 cnn.com @ns.rhyolite.com
    ;; connection timed out; no servers could be reached
    ;; connection timed out; no servers could be reached

I use "responses-per-second 5;" and since the default for errors-per-second
is the responses-per-second value, dig should (and does) get 10 REFUSED
responses and 2 timeouts.   I use the default "slip 2", but `dig` sees
no truncated responses (because its timeout gets it out of the penalty box.

> +		rrl_result = DNS_R_CANTDELEGATE;
> +		rrl_result = dns_rrl(client->view, &client->peeraddr,

I don't understand the purpose of the first of those two lines or
the purpose of DNS_R_CANTDELEGATE in general.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list