--On 1 December 2020 at 08:24:50 -0600 Lyle Giese <l...@lcrcomputer.net> wrote:
You need to look at the reply named sends when it trips and starts limiting UDP traffic source from a given IP address. It tells the requestor to try again using TCP instead of UDP. So if the requestor is a legit dns server, it will retry using TCP and still get a valid answer. Named does not blindly just drop traffic.
Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to stop sending responses).
Documentation for rate-limit seemed a bit patchy e.g. KB aa-00994 references to "See ARM 6.2.15" - which doesn't exist. In fact a lot of the KB documents reference Bind 9.9 - and things have moved on.
But I can see it's better explained in the current ARM / Section 4.2.14.19 now.
In fact, that entry also covers/says "Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively" - looks like it documents where these are in stats as well (RateDropped / QryDropped et'al) - so I think I'm good to go.
-Karl _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
