Hi Shane, On Fri, 2013-09-20 at 11:38 +0200, Shane Kerr wrote: > Noel, > > On 2013-09-20 12:48:31 (Friday) > Noel Butler <noel.but...@ausics.net> wrote: > > > On Fri, 2013-09-20 at 01:59 +0000, Vernon Schryver wrote: > > > > > plenty of delayed mail - hostname lookup failures (mostly because of > > > > URI/DNS BL's), so it certainly works as intended :) > > > > > > That sounds unrelated to RRL. Again, RRL affects standards compliant > > > DNS clients no more than a 50% packet loss rate on the path from the > > > DNS client and to the server. If your mail system suffered hostname > > > lookup failures, then I think something else was broken. > > With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups > fail, right? If you've got enough legitimate lookups going on to > trigger RRL then you're going to get lots of failures. > > One workaround for this is to set SLIP to 1. I know Vernon recommends > against that, but personally I don't think there is any downside. >
Might give that a go, thanks for suggestion > > Nope, either way, daemon.log was filling up with messages indicating > > RRL, last time I tried, Aug 29, > > > > lots of > > limit NXDOMAIN responses to xxxxxxxx/24 for zen.spamhaus.org , > > limit NXDOMAIN responses to xxxxxx/24 for xxx.net > > > > pretty much one for every DNSBL, URIBL etc used.... > > This doesn't indicate that anything actually failing for the querying > hosts, just that they are issuing a lot of queries. > maybe not directly, but along with time corresponding maillog filling up with errors certainly is all the proof I need. > > The problem occurred within a minute of enabling RRL, and ended right > > after disabling RRL. > > on that date, log files show the version was actually BIND 9.9.4rc1 > > > > Now I've read your link, I can perhaps understand more the options and > > fine tune it, but bout to head out for lunch so, might pla around later > > this afternoon. > > I think the actual issue is that for DNS IP blacklists (or whitelists) > RRL is probably harmful. Many or even most queries to those servers > will result in the same NXDOMAIN response. This is expected and desired > behavior, but RRL interprets this as potential abuse. > > While the fallback to TCP (combined with my recommendation of SLIP 1 > above) will mean that service will continue without problem, one reason > that DNS was chosen for such services is that it is very lightweight, > and forcing traffic to TCP is an anti-goal. :) > > Probably you should disable RRL for servers that are primarily used for > IP-based blacklists (or whitelists). > Will try with views and SLIP 1, likely tomorrow now since its rather late here, will post a followup with results Cheers
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
