[ratelimits] Logging category
vjs at rhyolite.com
Wed May 8 20:26:01 UTC 2013
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Is it the intention that RRL drop/slip queries will *always* log in the
> "query" category? Or will a separate category be introduced when they
> are folded upstream?
> I would prefer a separate category; the reason is that we've found it
> necessary to "tail" the logs and insert short-lived iptables rules (via
> ipset) to control the CPU utilisation - RRL stops the amplification, but
> named was still consuming 100% of 4 cores.
> If I had a separate category I could log to a separate file, and just
> tail that, but at the moment I have to tail (and parse&discard most of)
> the query log.
Are you using a BIND9 RRL patch from this year? I changed the
logging last year. If you are using a current version of an RRL
patch, `named -v` will say something about either ".094.21" or
Responses that are slipped ro dropped are logged in "queries"
category at the "info" level. That is the same category and level
at which the query itself and any other errors are logged. Rate
limit dispositions should no more than double the noise in the
"queries" category. If the "queries" category is too busy (it
often is), consider turning of query logging.
The separate "rate-limit" category is either less or more noisy
than the queries category depending on the level you choose for the
Please consult the ARM fragment via the link on
http://www.redbarn.org/dns/ratelimits labeled "Draft text for BIND9
Administrators Reference Manual (ARM) describing"
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits