[ratelimits] Double CPU usage with RRL

Kelsey Cummings kgc at corp.sonic.net
Fri Oct 11 17:51:43 UTC 2013


On Fri, Oct 11, 2013 at 03:11:17AM +0000, Vernon Schryver wrote:
> >        rate-limit {
> >                responses-per-second 60;
> >                nxdomains-per-second 0;
> >                ipv4-prefix-length 32;
> >                log-only yes;
> >                min-table-size 200000;
> >                max-table-size 300000;
> >        };
> 
> Why such a high general RRL limit?  Are some of your users hitting it
> with DNSBL traffic?

Vernon, the problem is that a /32 represents both home residential users
and large enterprise customers that are running NAT.  Even at 60, we
were seeing hits for things like time.apple.com.  It isn't practical to
be able to differentiate between these two customers at the name
servers. 

> I trust those changes to the default table sizes are justified by
> measurements.  A DNS server that needs RRL table space to remember at
> least 200,000 responses per several seconds must be doing more than
> 20,000 qps.

That was just me taking a stab at the high CPU possibly being a full
hash table - didn't help.

-- 
Kelsey Cummings - kgc at corp.sonic.net      sonic.net, inc.
System Architect                          2260 Apollo Way
707.522.1000                              Santa Rosa, CA 95407


More information about the ratelimits mailing list