[ratelimits] RRL patch is too talkative when dropping queries

Vernon Schryver vjs at rhyolite.com
Wed Jun 12 16:13:46 UTC 2013

> From: Tomas Hozza <thozza at redhat.com>

> Is there any way to somehow limit the amount of logged information by
> RRL patch without completely turning off INFO severity syslog messages from
> BIND? Is there currently any effort to reduce the information duplication
> in RRL patch logs?

> [1] https://bugzilla.redhat.com/show_bug.cgi?id=972376

Are the messages really duplicates in the sense that they are about
the same event, or are they identical messages about distinct responses
during an attack?  I hope they are very similar messages about distinct
responses.  That hope is supported by the change in timestamps in the
sample on that web page from 04:35:31.820 to 04:35:31.827.

There should be no danger of the messages filling a disk if the channels
that receive query-errors category messages have limits.  For example:

    category query-errors {
    channel info-log {
	file "log/info" versions 10 size 10m;

I do not see a good way to compress those messages without excessive
changes to the log mechanisms in BIND.  The messages are important to
detect false positives when not under attack, such as when using RRL
on a recursive resolver used by an SMTP server checking a DNSBL.

The messages are currently at "info" severity level.  I guess they
could be moved to "debug".

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list