[ratelimits] Double CPU usage with RRL
vjs at rhyolite.com
Fri Oct 11 18:38:59 UTC 2013
> From: Kelsey Cummings <kgc at corp.sonic.net>
> > Why such a high general RRL limit? Are some of your users hitting it
> > with DNSBL traffic?
> Vernon, the problem is that a /32 represents both home residential users
> and large enterprise customers that are running NAT. Even at 60, we
> were seeing hits for things like time.apple.com. It isn't practical to
> be able to differentiate between these two customers at the name
So a named ACL or a list of addresses blocks for
would not be practical? Is it possible to distinguish all customers
from non-customers and give customers a high limit? I suppose not if
some customers are not (or not always) using Sonic.net IP addresses.
time.apple.com and similar are a class of frequently resolved domain
name I'd not thought of.
However, what's the worst that could happen if 50% of requests for
that domain are dropped and the other 50% are answered with truncated
responses? You'd hope that Apple's NTP implementation does the right
thing with DNS failures for NTP as well as NTP server problems.
On the third hand, if I were in charge of a large enterprise, I'd
try to keep NTP and similar traffic inside. Do Apple products
notice multicast or broadcast NTP service by default? I know at
least some Apple products can be manually configured to look for
local NTP clocks. On general principles I don't let the little bit
of Apple hardware I have phone home unsupervised, and I distrust
Apple less than most consumer vendors.
In other words, could you sell such RRL hits as a feature to your
Note that unlike simplistic firewall rate limiting, an RRL block for
responses for time.apple.com to 10.2.3.4 has no effect on other DNS
traffic to and from 10.2.3.4.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits