[ratelimits] Analysis of BIND RRL patch + question
Vernon Schryver
vjs at rhyolite.com
Mon Feb 11 19:11:33 UTC 2013
> From: ratelimits at elsif.net
> rate-limit {
> responses-per-second 5;
> window 5;
> };
> Percentage completed: 52.00%
> Percentage lost: 48.00%
> Percentage completed: 50.20%
> Percentage lost: 49.80%
>
> This means that I've responded to ~45 queries/second.
> Why did I respond to 45 queries/second when I'm configured to do:
> responses-per-second 5;
Because the default 'slip' value is 2, 50% of the responses after
the first 5 get truncated (TC=1) response or are 'slipped'.
To turn off the slip mechanism and so respond to at most 5 queries/second,
add "slip 0;" to your configuration.
The 'penalty box' mechanism in the BIND version of RRL will cause all
responses to be dropped or slipped as long as more than requests/sec
are sent after the first second when those 100 requests were sent.
Please see the BIND RRL documentation by following the link on
http://www.redbarn.org/dns/ratelimits labeled
Draft text for BIND9 Administrators Reference Manual (ARM)
describing DNS Response Rate Limiting (RRL).
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list