I've been running with this configuration on some authoritative nameservers for the last couple of years:
rate-limit { responses-per-second 100; errors-per-second 1000; nxdomains-per-second 1000; max-table-size 50000; slip 2; }; options { tcp-clients 5000; } I understand these definitions are considered rather on the upper end of things. Every once in a while some rather large query bursts come along and triggers the NXDOMAIN limit (mostly on random names from google, microsoft or yahoo or cloudflare sources): 17-Nov-2022 21:42:45.196 rate-limit: client @0x7fa3dd9b1950 13.106.140.78#63673 (3uPpY.<somedomain>): rate limit drop NXDOMAIN response to 13.106.140.0/24 for <somedomain> (1c97f572) As expected this forces them to use tcp instead of udp. This then quickly fills up the available "tcp-clients" pool. Which is then of course having negative effects for other clients. Does anyone want to share their take on how to handle such query bursts? Is anyone using "nxdomains-per-second" experiencing similar things? Since 1000 seems to be the maximum, I tend to setting it to 0 to avoid filling up the tcp-clients pool. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users