[ratelimits] Extending RRL to refused recursive queries

Wed Apr 17 18:22:29 UTC 2013

--On April 17, 2013 4:32:50 PM +0000 Vernon Schryver <vjs at rhyolite.com> 
wrote:

>> From: shawmplayer at yahoo.com
>
>> read the code it was apparent that refused recursion queries never
>> pass  through through it.
>
> What about the rate limiting that is applied to REFUSED and all error
> responses except NXDOMAIN in ns_client_error() in bin/named/client.c?

Thanks for pointing this out. Am I confused because the code in 
bin/named/client.c? doesn't report 'dropped for rate limits' 
statistics, unlike bin/named/query.c? For example, if I run the virgin 
rrl patch for a short time, I get:

                2907 IPv4 requests received
                2487 requests with EDNS(0) received
                2470 recursive queries rejected
                 441 responses sent
                   2 truncated responses sent
                  21 responses with EDNS(0) sent
                 251 queries resulted in successful answer
                 142 queries resulted in authoritative answer
                 292 queries resulted in non authoritative answer
                  28 queries resulted in nxrrset
                   3 queries resulted in SERVFAIL
                 155 queries resulted in NXDOMAIN
                 227 queries caused recursion
                2470 other query failures

while if I run it with my patch for the same amount of time I get:

                2899 IPv4 requests received
                2485 requests with EDNS(0) received
                2480 recursive queries rejected
                 423 responses sent
                   9 responses with EDNS(0) sent
                 206 queries resulted in successful answer
                 155 queries resulted in authoritative answer
                 256 queries resulted in non authoritative answer
                  40 queries resulted in nxrrset
                   8 queries resulted in SERVFAIL
                 165 queries resulted in NXDOMAIN
                 194 queries caused recursion
                2476 queries dropped
                   4 other query failures
                2476 responses dropped for rate limits

If the responses are being dropped either way, there might be some 
point in tweaking bin/named/client.c to provide a more comforting view 
that rate limits are having the desired effect.

>> +		rrl_result = DNS_R_CANTDELEGATE;
>> +		rrl_result = dns_rrl(client->view, &client->peeraddr,
>
> I don't understand the purpose of the first of those two lines or
> the purpose of DNS_R_CANTDELEGATE in general.

This was more of a hack employed to get dns_rrl to use my new rate 
limit for refused recursive queries. The choice of terms could be 
better, but was arrived at when I had an incomplete view of what the 
code was doing. In my case the added discrimination between refused 
recursive queries, NXDOMAIN and all other errors is useful because I 
can set the rate limit very low for refused recursive queries, while 
leaving the others at higher rates. For a non-recursive server, any 
recursive query is an automatic error, and little is gained after 
sending the first refusal to a particular client. That may not be the 
case for the catch-all error category. 