<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body text="#000000" bgcolor="#FFFFFF"><br>
<br>
Geert Jan de Groot wrote:
<blockquote cite="mid:20130405202515.2679D544D@berserkly.xs4all.nl"
type="cite">
<pre wrap="">On Fri, 05 Apr 2013 12:00:01 +0000 <a class="moz-txt-link-abbreviated" href="mailto:ratelimits-request@lists.redbarn.org">ratelimits-request@lists.redbarn.org</a> wrote:
</pre>
<blockquote type="cite"><pre wrap="">DNS RRL is not recommended for recursive servers, because DNS clients
can send bursts of identical, legitimate requests.
</pre></blockquote>
<pre wrap=""><!---->
I'm surprised by this. I thought that something like this would work,
and it did when I tested it:</pre>
</blockquote>
<br>
this is a mixed-mode (recursive + authoritative) server, and you're
using exempt-clients{} to avoid RRL for RD=1 traffic. so, it's working
as intended, which is to way, you're not using RRL for recursive
traffic.<br>
<br>
paul<br>
<br>
re:<br>
<br>
<blockquote cite="mid:20130405202515.2679D544D@berserkly.xs4all.nl"
type="cite">
<pre wrap="">
acl clients {
127.0.0.1/32;
192.0.2.0/24;
...
};
options {
...
allow-recursion {
clients;
};
rate-limit {
responses-per-second 5;
window 5;
exempt-clients {
clients;
};
};
};
What am I missing?
Geert Jan
_______________________________________________
ratelimits mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ratelimits@lists.redbarn.org">ratelimits@lists.redbarn.org</a>
<a class="moz-txt-link-freetext" href="http://lists.redbarn.org/mailman/listinfo/ratelimits">http://lists.redbarn.org/mailman/listinfo/ratelimits</a>
</pre>
</blockquote>
</body></html>