[ratelimits] Logging category
p.mayers at imperial.ac.uk
Wed May 8 19:54:05 UTC 2013
So, we've finally become a target for amplification attacks
(DNSSEC-enabled site, "ANY" queries to our zone apex, sigh) and I've
rolled out the 9.9.2 RRL patches.
Is it the intention that RRL drop/slip queries will *always* log in the
"query" category? Or will a separate category be introduced when they
are folded upstream?
I would prefer a separate category; the reason is that we've found it
necessary to "tail" the logs and insert short-lived iptables rules (via
ipset) to control the CPU utilisation - RRL stops the amplification, but
named was still consuming 100% of 4 cores.
If I had a separate category I could log to a separate file, and just
tail that, but at the moment I have to tail (and parse&discard most of)
the query log.
Just a thought. Otherwise the patches seem to work exactly as
advertised, no real issues.
More information about the ratelimits