[ratelimits] Per second response limits and window size?
jm5903 at att.com
Mon Jul 29 14:18:30 UTC 2013
We are running some lab tests on 9.9.3 prior to activating RRL in production systems. Getting some unexpected results and hope someone can point out any config error we are making.
The test setup is simple, we have a load generator sending us a query mix from a range of IP addresses. We have one system (client) on another network that is simply using dnsperf to repeatedly send the same query at a rate of 100/second for a duration of 1 minute. Besides the summary results output by dnsperf, we are also using tcpdump on client to make sure we capture each response. Our rate-limit options are set as follows:
log-only no; slip 0; qps-scale 25000; window 10; ipv4-prefix-length 24;
We were expecting to get responses to the first 50 queries in the first five seconds, then nothing for 5 seconds (end of window). And then see the cycle repeat at the start of the next 10 second window.
What we get reported from dnsperf is 6000 queries sent and only 60 replies? Reviewing the tcpdump output confirms these figures, 60 replies are immediately sent in the first two seconds, and then nothing. The server log shows limiting beginning at the correct time, and then ending about a minute after the test completes.
29-Jul-2013 13:40:55.602 rate-limit: info: limit responses to 22.214.171.124/24 for www.murtarimis1.com IN A (b3332573)
29-Jul-2013 13:42:55.534 rate-limit: info: stop limiting responses to 126.96.36.199/24 for www.murtarimis1.com IN A (b3332573)
We reran the test with only one change in the config options, the slip values was set to 2 instead of zero. In that cases dnsperf reported 6000 queries sent, and 3042 responses received -- which would correspond to what we expect, the server sending the truncated response to every other incoming query -- over 3000 replies. Tcpdump output confirmed that after the initial replies, the system settled down to 50 responses/second.
Just wanted to confirm, if you set slip to zero -- no replies are sent after the threshold is exceeded? It also appeared the window size was not having the expected effect, we may reading the ARM incorrectly?
"Rate limiting uses a "credit" or "token bucket" scheme. Each identical response has a conceptual account
that is given responses-per-second, errors-per-second, and nxdomains-per-second credits every
second. A DNS request triggering some desired response debits the account by one. Responses are not
sent while the account is negative. The account cannot become more positive than the per-second limit
or more negative than window times the per-second limit. A DNS client that sends requests that are not
answered can be penalized for up to window seconds (default 15)."
Thanks for your help!
John Murtari <jm5903 at att.com>
C2-2A25 Middletown, NJ
More information about the ratelimits