[ratelimits] RRL logs understanding

Vernon Schryver vjs at rhyolite.com
Thu Aug 22 13:21:33 UTC 2013 

> From: Ferran Donadie <donadie at gmail.com>

> rate-limit {
>    log-only yes;
>    responses-per-second 1000;
>    //errors-per-second 5;
>    window 5;
>    //ipv4-prefix-length 24;
>    }

> 22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00b2bb02  age=0  responses=989
> 22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for www.belkin.com IN A  (0094c96d)
> 22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00a69841         responses=999
> 22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for ent-shasta-rrs.symantec.com IN A  (5c96f000)
> 22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 006fc489         responses=999
> 22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting referral to xxx.xxx.xxx.xxx/24 for bfhmm.com IN TXT  (000fc4c1)
> 22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00b64bf5  age=0  responses=996
> 22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting referral to xxx.xxx.xxx.xxx/24 for bfhmm.com IN TXT  (000fc4c1)
> 22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00b64c01  age=0  responses=995
> 22-Aug-2013 10:53:55.284 rate-limit: debug 3: consider limiting NXDOMAIN response to xxx.xxx.xxx.xxx/24 for trendmicro.com  (da247a83)
> 22-Aug-2013 10:53:55.284 rate-limit: debug 9: rrl 00be5946         responses=999
> 22-Aug-2013 10:53:55.284 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for star.c10r.facebook.com IN A  (3515a5c4)
> 22-Aug-2013 10:53:55.284 rate-limit: debug 9: rrl 00620399  age=0  responses=993
> 22-Aug-2013 10:53:55.285 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for fbcdn-sphotos-e-a.akamaihd.net IN A  (0422f0af)

> I am looking at setting RRL in cache servers, this is because although
> they are not open to the Internet, they are abused from inside my
> network (different reasons), and I wanted to check first with log-only
> to see what I would be limiting, before applying a responses-per-second
> limit number.

If BIND had wanted to drop or slip a response but could not because
of "log-only yse", then the log message would be something like
"would have dropped response to ...".

Notice also that token bucket value remains positive at 989, 999, ...
Responses are dropped or slipped only when the value is negative.


> What in the logs appear is that even with 1000 response-per-second, I'll stop
> answering not abusive queries. 

None of those log messages report dropping or "slipping" any responses.
"Consider limiting" means "think about limiting".  You get those
messages only with high debugging levels.  While debugging the code,
I found those messages useful, because they indicated that me that the
code was doing the right thing even when it did nothing.

>                                It also seems to me that RRL is counting too
> many queries that don't match if I monitor the service with dnstop.

What do you mean by that?


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list