I've been running with this configuration on some authoritative nameservers for
the last couple of years:
rate-limit {
responses-per-second 100;
errors-per-second 1000;
nxdomains-per-second 1000;
max-table-size 50000;
slip 2;
};
options {
tcp-clients 5000;
}
I understand these definitions are considered rather on the upper end of things.
Every once in a while some rather large query bursts come along and triggers
the NXDOMAIN limit (mostly on random names from google, microsoft or yahoo or
cloudflare sources):
17-Nov-2022 21:42:45.196 rate-limit: client @0x7fa3dd9b1950 13.106.140.78#63673
(3uPpY.<somedomain>): rate limit drop NXDOMAIN response to 13.106.140.0/24 for
<somedomain> (1c97f572)
As expected this forces them to use tcp instead of udp. This then quickly fills
up the available
"tcp-clients" pool. Which is then of course having negative effects for other
clients.
Does anyone want to share their take on how to handle such query bursts?
Is anyone using "nxdomains-per-second" experiencing similar things? Since 1000
seems to be the
maximum, I tend to setting it to 0 to avoid filling up the tcp-clients pool.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
