Blr,

        We do run RRL on some of our servers, example option clause below that 
activates the feature.  Two suggestions:

1. You mention  you 'inherited' the server and looked at /etc/named.conf -- 
verify that it is not running chroot to another directory and using another 
config file (I know it's obvious, but I've been caught several times by this).

2.  I might agree with some of the other responses that think the logging you 
are seeing is NOT from RRL.   Logging/options from a server running 9.9.8 
below.  You can see the lines are tagged with 'rate-limit' :

30-Jul-2016 22:08:12.185 rate-limit: info: stop limiting error responses to 
12.109.112.112/28
30-Jul-2016 23:21:07.296 rate-limit: info: limit NXDOMAIN responses to 
65.218.138.48/28 for 168.192.IN-ADDR.ARPA  (05bd036f)
30-Jul-2016 23:21:07.296 rate-limit: info: client 65.218.138.57#48702 
(153.12.168.192.in-addr.arpa): rate limit slip NXDOMAIN response to 
65.218.138.48/28 for 168.192.IN-ADDR.ARPA  (05bd036f)
        
       rate-limit {
                domain                  ".";
                responses-per-second    50;
                window                  15;
                log-only                no;
                qps-scale               35000;
                IPv4-prefix-length      28;
                IPv6-prefix-length      56;
                slip                    2;
                exempt-clients          { 127.0.0.1/32; ....... }
}

John

----------
Message: 6
Date: Mon, 15 Aug 2016 20:23:17 -0700 (PDT)
From: blrmaani <blrma...@gmail.com>
To: comp-protocols-dns-b...@isc.org
Subject: Re: Disabling rate-limit?
Message-ID: <b0daf19e-721f-43bf-aa68-14418c947...@googlegroups.com>
Content-Type: text/plain; charset=UTF-8

>From tcpdump, it appears that customers are receiving delayed response and are 
>too sensitive for timeouts. 

The queries they are sending are authoritative i.e the zone is on our 
nameserver. 

How do I trouble-shoot this issue? This is really intermittent and hard to 
reproduce..

thanks
Blr

On Monday, August 15, 2016 at 7:27:44 PM UTC-7, John Miller wrote:
> Hi Blr,
> 
> First things first: if your customers are sending queries, this is
> probably about their own recursive queries timing out, rather than
> incoming authoritative queries timing out.
> 
> Something else you should check: are your customers receiving a
> delayed (say a few seconds) SERVFAIL response, or are they receiving
> no response at all?
> 
> There's a different set of options in BIND for recursive rate limiting
> versus authoritative rate limiting.
> 
> Recursive queries:
> 
> * recursive-clients
> * clients-per-query
> * max-clients-per-query
> 
> Running 'rndc status' is a good way to see how close you are to these
> limits; you'll see log messages like
> 
> "no more recursive clients: quota reached"
> 
> There's also a newer set of "recursive client rate-limiting" features
> available in newer (9.9 and 9.10) versions of BIND, but I'm pretty
> sure this doesn't apply to your case.
> 
> Authoritative queries:
> https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html
> IIRC, rate-limiting for authoritative queries (called "Response rate
> limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and
> required a specific build in BIND 9.9.x.  It's not available in BIND
> 9.8.x.
> 
> John
> 
> On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrma...@gmail.com> wrote:
> > I inherited a DNS server which is running BIND 9.8.x. There was a DNS 
> > incident where our customers complained that they saw query timeouts 
> > intermittently (Our customers run cassandra/hadoop applications and send 
> > same queries repeatedly). They also run nscd on their hosts but I was told 
> > all have same TTL value of 3600 indicating all names expire at the same 
> > time on thousands of client hosts).
> >
> >  I tried to reproduce the issue by sending hostname.bind queries and I see 
> > logs similar to the one below:
> >
> > <time> <client-hostname> named[<pid>]: limit responses to <subnet> for 
> > hostname.bind CH TXT <hex-number>
> > <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> 
> > for hostname.bind CH TXT <hex-number>
> >
> >
> > I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am 
> > confused because BIND ARM says rate-limit is disabled by default. But logs 
> > indicate otherwise.
> >
> > ( I did "grep rate /etc/*" and didn't see anything. There are no includes 
> > in named.conf)
> >
> > Please advice on how I can disable rate-limit on my DNS server.
> >
> >
> > I did a strings on 'named' binary and see this:
> >
> > strings /usr/sbin/named | egrep -i rrl
> > dns_rrl
> > dns_rrl_init
> > dns_rrl_view_destroy
> >
> > What else do I need to check to identify if RRL is enabled?
> >
> >
> > Thanks
> > Blr
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> -- 
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
> (781) 736-4619



------------------------------

Subject: Digest Footer

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

------------------------------

End of bind-users Digest, Vol 2466, Issue 1
*******************************************
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to