[ratelimits] Logging category

Phil Mayers p.mayers at imperial.ac.uk
Wed May 8 19:54:05 UTC 2013

So, we've finally become a target for amplification attacks 
(DNSSEC-enabled site, "ANY" queries to our zone apex, sigh) and I've 
rolled out the 9.9.2 RRL patches.

Is it the intention that RRL drop/slip queries will *always* log in the 
"query" category? Or will a separate category be introduced when they 
are folded upstream?

I would prefer a separate category; the reason is that we've found it 
necessary to "tail" the logs and insert short-lived iptables rules (via 
ipset) to control the CPU utilisation - RRL stops the amplification, but 
named was still consuming 100% of 4 cores.

If I had a separate category I could log to a separate file, and just 
tail that, but at the moment I have to tail (and parse&discard most of) 
the query log.

Just a thought. Otherwise the patches seem to work exactly as 
advertised, no real issues.


More information about the ratelimits mailing list