[ratelimits] RRL logs understanding

Ferran Donadie donadie at gmail.com
Thu Aug 22 10:43:38 UTC 2013 

Hello everyone,

I am using CentOS 6.4 with Bind version BIND
9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4, which a believe is a Bind version
that has been patched by RedHat with RRL support.

rate-limit {
   log-only yes;
   responses-per-second 1000;
   //errors-per-second 5;
   window 5;
   //ipv4-prefix-length 24;
   }


22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00b2bb02  age=0  responses=989
22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for www.belkin.com IN A  (0094c96d)
22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00a69841         responses=999
22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for ent-shasta-rrs.symantec.com IN A  (5c96f000)
22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 006fc489         responses=999
22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting referral to xxx.xxx.xxx.xxx/24 for bfhmm.com IN TXT  (000fc4c1)
22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00b64bf5  age=0  responses=996
22-Aug-2013 10:53:55.283 rate-limit: debug 3: consider limiting referral to xxx.xxx.xxx.xxx/24 for bfhmm.com IN TXT  (000fc4c1)
22-Aug-2013 10:53:55.283 rate-limit: debug 9: rrl 00b64c01  age=0  responses=995
22-Aug-2013 10:53:55.284 rate-limit: debug 3: consider limiting NXDOMAIN response to xxx.xxx.xxx.xxx/24 for trendmicro.com  (da247a83)
22-Aug-2013 10:53:55.284 rate-limit: debug 9: rrl 00be5946         responses=999
22-Aug-2013 10:53:55.284 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for star.c10r.facebook.com IN A  (3515a5c4)
22-Aug-2013 10:53:55.284 rate-limit: debug 9: rrl 00620399  age=0  responses=993
22-Aug-2013 10:53:55.285 rate-limit: debug 3: consider limiting response to xxx.xxx.xxx.xxx/24 for fbcdn-sphotos-e-a.akamaihd.net IN A  (0422f0af)

I am looking at setting RRL in cache servers, this is because although
they are not open to the Internet, they are abused from inside my
network (different reasons), and I wanted to check first with log-only
to see what I would be limiting, before applying a responses-per-second
limit number.

What in the logs appear is that even with 1000 response-per-second, I'll stop
answering not abusive queries. It also seems to me that RRL is counting too
many queries that don't match if I monitor the service with dnstop.

Am I reading badly these RRL logs? Doing something wrong with the
configuration? Any known bug, that I can't find?

Any help will be appreciated.

Regards,

-- 
Saludos,
Ferran Donadie.

No hay color para el luto.
		-- Ramoncín.

More information about the ratelimits mailing list