Copy:
bind-users@lists.isc.org
Thanks for this reply : )
We are using named cluster in our internal network as the authoritative DNS. So there are no cache servers between clients and named cluster. Maybe we should add one but it is just another story.
There was a strange thing when I tested RRL using queryperf. I generated 10000 qnames to test.txt and every qname queried once. The queryperf’s output pastes below:
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 10000 queries
Queries completed: 9820 queries
Queries lost: 180 queries
Queries delayed(?): 0 queries
RTT max: 0.009435 sec
RTT min: 0.000072 sec
RTT average: 0.000503 sec
RTT std deviation: 0.000785 sec
RTT out of range: 0 queries
Percentage completed: 98.20%
Percentage lost: 1.80%
Started at: Thu Jul 9 11:16:03 2020
Finished at: Thu Jul 9 11:16:48 2020
Ran for: 45.300412 seconds
Queries per second: 216.775070 qps
The named rate-limiting logs pastes below:
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44ed190 10.0.0.10#38722 (anvq.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4414020 10.0.0.10#38722 (anwi.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4518840 10.0.0.10#38722 (anvf.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4552680 10.0.0.10#38722 (anvx.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44dea00 10.0.0.10#38722 (anwa.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4487ca0 10.0.0.10#38722 (anva.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4405890 10.0.0.10#38722 (anwg.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4526fd0 10.0.0.10#38722 (anvr.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b446ad80 10.0.0.10#38722 (anvs.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4430f40 10.0.0.10#38722 (anvh.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44227b0 10.0.0.10#38722 (anvj.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b450a0b0 10.0.0.10#38722 (anvm.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44a4bc0 10.0.0.10#38722 (anwe.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4496430 10.0.0.10#38722 (anwh.internal): view xxxx: rate limit drop all response to 10.0.0.10/32
To my mind the RRL should not limit queries with different qnames from the same client. So is it my misunderstanding or wrong config?
BIND version pastes below:
version: BIND 9.11.4-P2 (Extended Support Version) <id:7107deb>
在 2020年7月8日 +0800 PM11:45,Tony Finch <
dot@dotat.at>,写道:
程智勇 <chengzhycn@gmail.com> wrote:
So could anybody tell me why DNS_RRL_MAX_RATE defined 1000?
RRL is designed for authoritative DNS servers. Legitimate queries come
from recursive resolvers with caches. There should not be more than one
query for each RRset from each resolver per TTL. So a normal response rate limit is relatively small - I set it to 10.
If you are hitting 1000 queries per second, that implies either there
are 1000 resolvers behind one IP address (which is VERY unlikely); or the query traffic is abusive.
Are you sure the dropped traffic is legitimate?
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Channel Islands: West to southwest 4 to 5, occasionally 6 mid-channel overnight and Thursday morning, occasionally west to northwest 2 to 4 in the far south of the area. Slight to moderate with a low swell, perhaps occasionally rather rough mid-channel until late morning. Occasional mist and fog, especially overnight rain and drizzle at times, especially from Thursday morning. Moderate to poor or very poor, locally good at times.
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<div name="messageBodySection">
<div dir="auto">Thanks for this reply : )<br />
<br />
We are using named cluster in our internal network as the authoritative DNS. So there are no cache servers between clients and named cluster. Maybe we should add one but it is just another story.<br />
<br />
There was a strange thing when I tested RRL using queryperf.  I generated 10000 qnames to test.txt and every qname queried once. The queryperf’s output pastes below:<br />
<br />
Statistics:<br />
<br />
 Parse input file: once<br />
 Ended due to: reaching end of file<br />
<br />
 Queries sent: 10000 queries<br />
 Queries completed: 9820 queries<br />
 Queries lost: 180 queries<br />
 Queries delayed(?): 0 queries<br />
<br />
 RTT max: 0.009435 sec<br />
 RTT min: 0.000072 sec<br />
 RTT average: 0.000503 sec<br />
 RTT std deviation: 0.000785 sec<br />
 RTT out of range: 0 queries<br />
<br />
 Percentage completed: 98.20%<br />
 Percentage lost: 1.80%<br />
<br />
 Started at: Thu Jul 9 11:16:03 2020<br />
 Finished at: Thu Jul 9 11:16:48 2020<br />
 Ran for: 45.300412 seconds<br />
<br />
 Queries per second: 216.775070 qps<br />
<br />
The named rate-limiting logs pastes below:<br />
<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44ed190 10.0.0.10#38722 (anvq.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4414020 10.0.0.10#38722 (anwi.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4518840 10.0.0.10#38722 (anvf.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4552680 10.0.0.10#38722 (anvx.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44dea00 10.0.0.10#38722 (anwa.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4487ca0 10.0.0.10#38722 (anva.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4405890 10.0.0.10#38722 (anwg.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4526fd0 10.0.0.10#38722 (anvr.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b446ad80 10.0.0.10#38722 (anvs.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4430f40 10.0.0.10#38722 (anvh.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44227b0 10.0.0.10#38722 (anvj.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b450a0b0 10.0.0.10#38722 (anvm.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b44a4bc0 10.0.0.10#38722 (anwe.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client @0x7f83b4496430 10.0.0.10#38722 (anwh.internal): view xxxx: rate limit drop all response to 10.0.0.10/32<br />
<br />
To my mind the RRL should not limit queries with different qnames from the same client. So is it my misunderstanding or wrong config? <br />
<br />
BIND version pastes below:<br />
<br />
version: BIND 9.11.4-P2 (Extended Support Version) <id:7107deb></div> </div>
<div name="messageReplySection">在 2020年7月8日 +0800 PM11:45,Tony Finch <
dot@dotat.at>,写道:<br />
<blockquote type="cite" style="border-left-color: grey; border-left-width: thin; border-left-style: solid; margin: 5px 5px;padding-left: 10px;">程智勇 <
chengzhycn@gmail.com> wrote:<br />
<blockquote type="cite"><br />
So could anybody tell me why DNS_RRL_MAX_RATE defined 1000?<br /></blockquote> <br />
RRL is designed for authoritative DNS servers. Legitimate queries come<br /> from recursive resolvers with caches. There should not be more than one<br /> query for each RRset from each resolver per TTL. So a normal response rate<br />
limit is relatively small - I set it to 10.<br />
<br />
If you are hitting 1000 queries per second, that implies either there<br />
are 1000 resolvers behind one IP address (which is VERY unlikely); or the<br /> query traffic is abusive.<br />
<br />
Are you sure the dropped traffic is legitimate?<br />
<br />
Tony.<br />
--<br />
f.anthony.n.finch <
dot@dotat.at>
http://dotat.at/<br />
Channel Islands: West to southwest 4 to 5, occasionally 6 mid-channel<br /> overnight and Thursday morning, occasionally west to northwest 2 to 4 in the<br />
far south of the area. Slight to moderate with a low swell, perhaps<br /> occasionally rather rough mid-channel until late morning. Occasional mist and<br />
fog, especially overnight rain and drizzle at times, especially from Thursday<br />
morning. Moderate to poor or very poor, locally good at times.</blockquote> </div>
</body>
</html>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)