[ratelimits] Extending RRL to refused recursive queries
shawmplayer at yahoo.com
shawmplayer at yahoo.com
Wed Apr 17 18:22:29 UTC 2013
--On April 17, 2013 4:32:50 PM +0000 Vernon Schryver <vjs at rhyolite.com>
wrote:
>> From: shawmplayer at yahoo.com
>
>> read the code it was apparent that refused recursion queries never
>> pass through through it.
>
> What about the rate limiting that is applied to REFUSED and all error
> responses except NXDOMAIN in ns_client_error() in bin/named/client.c?
Thanks for pointing this out. Am I confused because the code in
bin/named/client.c? doesn't report 'dropped for rate limits'
statistics, unlike bin/named/query.c? For example, if I run the virgin
rrl patch for a short time, I get:
2907 IPv4 requests received
2487 requests with EDNS(0) received
2470 recursive queries rejected
441 responses sent
2 truncated responses sent
21 responses with EDNS(0) sent
251 queries resulted in successful answer
142 queries resulted in authoritative answer
292 queries resulted in non authoritative answer
28 queries resulted in nxrrset
3 queries resulted in SERVFAIL
155 queries resulted in NXDOMAIN
227 queries caused recursion
2470 other query failures
while if I run it with my patch for the same amount of time I get:
2899 IPv4 requests received
2485 requests with EDNS(0) received
2480 recursive queries rejected
423 responses sent
9 responses with EDNS(0) sent
206 queries resulted in successful answer
155 queries resulted in authoritative answer
256 queries resulted in non authoritative answer
40 queries resulted in nxrrset
8 queries resulted in SERVFAIL
165 queries resulted in NXDOMAIN
194 queries caused recursion
2476 queries dropped
4 other query failures
2476 responses dropped for rate limits
If the responses are being dropped either way, there might be some
point in tweaking bin/named/client.c to provide a more comforting view
that rate limits are having the desired effect.
>> + rrl_result = DNS_R_CANTDELEGATE;
>> + rrl_result = dns_rrl(client->view, &client->peeraddr,
>
> I don't understand the purpose of the first of those two lines or
> the purpose of DNS_R_CANTDELEGATE in general.
This was more of a hack employed to get dns_rrl to use my new rate
limit for refused recursive queries. The choice of terms could be
better, but was arrived at when I had an incomplete view of what the
code was doing. In my case the added discrimination between refused
recursive queries, NXDOMAIN and all other errors is useful because I
can set the rate limit very low for refused recursive queries, while
leaving the others at higher rates. For a non-recursive server, any
recursive query is an automatic error, and little is gained after
sending the first refusal to a particular client. That may not be the
case for the catch-all error category.
More information about the ratelimits
mailing list