Blr,
We do run RRL on some of our servers, example option clause below that
activates the feature. Two suggestions:
1. You mention you 'inherited' the server and looked at /etc/named.conf --
verify that it is not running chroot to another directory and using another
config file (I know it's obvious, but I've been caught several times by this).
2. I might agree with some of the other responses that think the logging you
are seeing is NOT from RRL. Logging/options from a server running 9.9.8
below. You can see the lines are tagged with 'rate-limit' :
30-Jul-2016 22:08:12.185 rate-limit: info: stop limiting error responses to
12.109.112.112/28
30-Jul-2016 23:21:07.296 rate-limit: info: limit NXDOMAIN responses to
65.218.138.48/28 for 168.192.IN-ADDR.ARPA (05bd036f)
30-Jul-2016 23:21:07.296 rate-limit: info: client 65.218.138.57#48702
(153.12.168.192.in-addr.arpa): rate limit slip NXDOMAIN response to
65.218.138.48/28 for 168.192.IN-ADDR.ARPA (05bd036f)
rate-limit {
domain ".";
responses-per-second 50;
window 15;
log-only no;
qps-scale 35000;
IPv4-prefix-length 28;
IPv6-prefix-length 56;
slip 2;
exempt-clients { 127.0.0.1/32; ....... }
}
John
----------
Message: 6
Date: Mon, 15 Aug 2016 20:23:17 -0700 (PDT)
From: blrmaani <blrma...@gmail.com>
To: comp-protocols-dns-b...@isc.org
Subject: Re: Disabling rate-limit?
Message-ID: <b0daf19e-721f-43bf-aa68-14418c947...@googlegroups.com>
Content-Type: text/plain; charset=UTF-8
>From tcpdump, it appears that customers are receiving delayed response and are
>too sensitive for timeouts.
The queries they are sending are authoritative i.e the zone is on our
nameserver.
How do I trouble-shoot this issue? This is really intermittent and hard to
reproduce..
thanks
Blr
On Monday, August 15, 2016 at 7:27:44 PM UTC-7, John Miller wrote:
> Hi Blr,
>
> First things first: if your customers are sending queries, this is
> probably about their own recursive queries timing out, rather than
> incoming authoritative queries timing out.
>
> Something else you should check: are your customers receiving a
> delayed (say a few seconds) SERVFAIL response, or are they receiving
> no response at all?
>
> There's a different set of options in BIND for recursive rate limiting
> versus authoritative rate limiting.
>
> Recursive queries:
>
> * recursive-clients
> * clients-per-query
> * max-clients-per-query
>
> Running 'rndc status' is a good way to see how close you are to these
> limits; you'll see log messages like
>
> "no more recursive clients: quota reached"
>
> There's also a newer set of "recursive client rate-limiting" features
> available in newer (9.9 and 9.10) versions of BIND, but I'm pretty
> sure this doesn't apply to your case.
>
> Authoritative queries:
> https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html
> IIRC, rate-limiting for authoritative queries (called "Response rate
> limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and
> required a specific build in BIND 9.9.x. It's not available in BIND
> 9.8.x.
>
> John
>
> On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrma...@gmail.com> wrote:
> > I inherited a DNS server which is running BIND 9.8.x. There was a DNS
> > incident where our customers complained that they saw query timeouts
> > intermittently (Our customers run cassandra/hadoop applications and send
> > same queries repeatedly). They also run nscd on their hosts but I was told
> > all have same TTL value of 3600 indicating all names expire at the same
> > time on thousands of client hosts).
> >
> > I tried to reproduce the issue by sending hostname.bind queries and I see
> > logs similar to the one below:
> >
> > <time> <client-hostname> named[<pid>]: limit responses to <subnet> for
> > hostname.bind CH TXT <hex-number>
> > <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet>
> > for hostname.bind CH TXT <hex-number>
> >
> >
> > I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am
> > confused because BIND ARM says rate-limit is disabled by default. But logs
> > indicate otherwise.
> >
> > ( I did "grep rate /etc/*" and didn't see anything. There are no includes
> > in named.conf)
> >
> > Please advice on how I can disable rate-limit on my DNS server.
> >
> >
> > I did a strings on 'named' binary and see this:
> >
> > strings /usr/sbin/named | egrep -i rrl
> > dns_rrl
> > dns_rrl_init
> > dns_rrl_view_destroy
> >
> > What else do I need to check to identify if RRL is enabled?
> >
> >
> > Thanks
> > Blr
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
> (781) 736-4619
------------------------------
Subject: Digest Footer
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
End of bind-users Digest, Vol 2466, Issue 1
*******************************************
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
