Blr, We do run RRL on some of our servers, example option clause below that activates the feature. Two suggestions:
1. You mention you 'inherited' the server and looked at /etc/named.conf -- verify that it is not running chroot to another directory and using another config file (I know it's obvious, but I've been caught several times by this). 2. I might agree with some of the other responses that think the logging you are seeing is NOT from RRL. Logging/options from a server running 9.9.8 below. You can see the lines are tagged with 'rate-limit' : 30-Jul-2016 22:08:12.185 rate-limit: info: stop limiting error responses to 12.109.112.112/28 30-Jul-2016 23:21:07.296 rate-limit: info: limit NXDOMAIN responses to 65.218.138.48/28 for 168.192.IN-ADDR.ARPA (05bd036f) 30-Jul-2016 23:21:07.296 rate-limit: info: client 65.218.138.57#48702 (153.12.168.192.in-addr.arpa): rate limit slip NXDOMAIN response to 65.218.138.48/28 for 168.192.IN-ADDR.ARPA (05bd036f) rate-limit { domain "."; responses-per-second 50; window 15; log-only no; qps-scale 35000; IPv4-prefix-length 28; IPv6-prefix-length 56; slip 2; exempt-clients { 127.0.0.1/32; ....... } } John ---------- Message: 6 Date: Mon, 15 Aug 2016 20:23:17 -0700 (PDT) From: blrmaani <blrma...@gmail.com> To: comp-protocols-dns-b...@isc.org Subject: Re: Disabling rate-limit? Message-ID: <b0daf19e-721f-43bf-aa68-14418c947...@googlegroups.com> Content-Type: text/plain; charset=UTF-8 >From tcpdump, it appears that customers are receiving delayed response and are >too sensitive for timeouts. The queries they are sending are authoritative i.e the zone is on our nameserver. How do I trouble-shoot this issue? This is really intermittent and hard to reproduce.. thanks Blr On Monday, August 15, 2016 at 7:27:44 PM UTC-7, John Miller wrote: > Hi Blr, > > First things first: if your customers are sending queries, this is > probably about their own recursive queries timing out, rather than > incoming authoritative queries timing out. > > Something else you should check: are your customers receiving a > delayed (say a few seconds) SERVFAIL response, or are they receiving > no response at all? > > There's a different set of options in BIND for recursive rate limiting > versus authoritative rate limiting. > > Recursive queries: > > * recursive-clients > * clients-per-query > * max-clients-per-query > > Running 'rndc status' is a good way to see how close you are to these > limits; you'll see log messages like > > "no more recursive clients: quota reached" > > There's also a newer set of "recursive client rate-limiting" features > available in newer (9.9 and 9.10) versions of BIND, but I'm pretty > sure this doesn't apply to your case. > > Authoritative queries: > https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html > IIRC, rate-limiting for authoritative queries (called "Response rate > limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and > required a specific build in BIND 9.9.x. It's not available in BIND > 9.8.x. > > John > > On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrma...@gmail.com> wrote: > > I inherited a DNS server which is running BIND 9.8.x. There was a DNS > > incident where our customers complained that they saw query timeouts > > intermittently (Our customers run cassandra/hadoop applications and send > > same queries repeatedly). They also run nscd on their hosts but I was told > > all have same TTL value of 3600 indicating all names expire at the same > > time on thousands of client hosts). > > > > I tried to reproduce the issue by sending hostname.bind queries and I see > > logs similar to the one below: > > > > <time> <client-hostname> named[<pid>]: limit responses to <subnet> for > > hostname.bind CH TXT <hex-number> > > <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> > > for hostname.bind CH TXT <hex-number> > > > > > > I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am > > confused because BIND ARM says rate-limit is disabled by default. But logs > > indicate otherwise. > > > > ( I did "grep rate /etc/*" and didn't see anything. There are no includes > > in named.conf) > > > > Please advice on how I can disable rate-limit on my DNS server. > > > > > > I did a strings on 'named' binary and see this: > > > > strings /usr/sbin/named | egrep -i rrl > > dns_rrl > > dns_rrl_init > > dns_rrl_view_destroy > > > > What else do I need to check to identify if RRL is enabled? > > > > > > Thanks > > Blr > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > John Miller > Systems Engineer > Brandeis University > johnm...@brandeis.edu > (781) 736-4619 ------------------------------ Subject: Digest Footer _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ------------------------------ End of bind-users Digest, Vol 2466, Issue 1 ******************************************* _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users