[ratelimits] Extending RRL to refused recursive queries
Vernon Schryver
vjs at rhyolite.com
Wed Apr 17 16:32:50 UTC 2013
> From: shawmplayer at yahoo.com
> read the code it was apparent that refused recursion queries never pass
> through through it.
What about the rate limiting that is applied to REFUSED and all error
responses except NXDOMAIN in ns_client_error() in bin/named/client.c?
In other words, what if you set
rate-limit {
errors-per-second 1;
and perhaps also
slip 0;
}
in your external view?
That should limit all /24 blocks to at most 1 REFUSED response per second.
A quick test using an ISP shell account against my DNS server suggests
that REFUSED rate limiting is not broken in the version of BIND that
I'm using today:
% repeat 12 dig +short +tries=1 +novc +timeo=1 cnn.com @ns.rhyolite.com
;; connection timed out; no servers could be reached
;; connection timed out; no servers could be reached
I use "responses-per-second 5;" and since the default for errors-per-second
is the responses-per-second value, dig should (and does) get 10 REFUSED
responses and 2 timeouts. I use the default "slip 2", but `dig` sees
no truncated responses (because its timeout gets it out of the penalty box.
> + rrl_result = DNS_R_CANTDELEGATE;
> + rrl_result = dns_rrl(client->view, &client->peeraddr,
I don't understand the purpose of the first of those two lines or
the purpose of DNS_R_CANTDELEGATE in general.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list