[ratelimits] Analysis of BIND RRL patch + question

Vernon Schryver vjs at rhyolite.com
Mon Feb 11 19:11:33 UTC 2013


> From: ratelimits at elsif.net

>         rate-limit {
>                 responses-per-second 5;
>                 window 5;
>         };

>   Percentage completed:  52.00%
>   Percentage lost:       48.00%

>   Percentage completed:  50.20%
>   Percentage lost:       49.80%
>
> This means that I've responded to ~45 queries/second.

> Why did I respond to 45 queries/second when I'm configured to do:
>         responses-per-second 5;

Because the default 'slip' value is 2, 50% of the responses after
the first 5 get truncated (TC=1) response or are 'slipped'.

To turn off the slip mechanism and so respond to at most 5 queries/second,
add "slip 0;" to your configuration.

The 'penalty box' mechanism in the BIND version of RRL will cause all
responses to be dropped or slipped as long as more than requests/sec
are sent after the first second when those 100 requests were sent.
Please see the BIND RRL documentation by following the link on
http://www.redbarn.org/dns/ratelimits labeled 

    Draft text for BIND9 Administrators Reference Manual (ARM)
    describing DNS Response Rate Limiting (RRL).


Vernon Schryver    vjs at rhyolite.com


More information about the ratelimits mailing list