Question about: "rate-limit: stop limiting responses to 1.1.1.0/24 for www.example.com"

2018-01-04 Thread Tom 

Hi list

I'm testing rate-limits (BIND 9.11.2) and I'm unsure, how I've to 
understand the following "stop-limiting"-log-entry:

1)
04-Jan-2018 15:09:10.852 rate-limit: info: limit responses to 1.1.1.0/24 
for www.example.com IN A  (7ae73d9b)


2)
04-Jan-2018 15:09:10.852 rate-limit: info: client @0x7f16440ee550 
13.93.86.165#55203 (www.example.com): rate limit drop response to 
1.1.1.0/24 for www.example.com IN A  (7ae73d9b)


3)
04-Jan-2018 15:09:16.773 rate-limit: info: client @0x7f16440fcc30 
13.93.86.165#33997 (www.example.com): rate limit drop response to 
1.1.1.0/24 for www.example.com IN A  (7ae73d9b)


4)
04-Jan-2018 15:10:20.266 rate-limit: info: stop limiting responses to 
1.1.1.0/24 for www.example.com IN A  (7ae73d9b)



- #1-#3 seems clear, because they reaches the configured threshold. But 
what about the entry #4? Why does this logentry only appears about 60-65 
seconds later, after I've stopped the "test"-attack (confirmed multiple 
times..)?


My rate-config:
rate-limit {
responses-per-second 5;
slip 0;
window 5;
};


Many thanks.
Kind regards,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recommended values for a zone

2018-01-04 Thread Bob Harold 
On Wed, Jan 3, 2018 at 5:58 PM, Mik J  wrote:

> Thank you Bob for your answer.
> I continued to search and saw rfc1912 page 4
> It's much higher than I first thought
>
>
>
> Le mercredi 3 janvier 2018 à 20:05:57 UTC+1, Bob Harold <
> rharo...@umich.edu> a écrit :
>
>
>
> On Wed, Jan 3, 2018 at 1:57 PM, Mik J via bind-users <
> bind-users@lists.isc.org> wrote:
>
> Hello,
>
> I would like to have your thoughts about what should be the best values
> for refresh, retry, expire and negative cache.
>
> In my case I have 2 DNS which are hosted in 2 different locations. These
> location are near one another (100km). The latency is very low and packet
> is 0.
> I configured a lot of zones on my DNS and they not master for someone else.
> This is a very simple setup in termes of master/slave.
>
> I would be tempted to
> * configure a high refresh period since I have notify configured on the
> master. What about 7200s ?
> * Configure a high retry period because I don't expect the master to be
> offline, what about 3600 ?
> * configure a expire very high like 2 days so that the DNS service would
> work even if the master is down
> * I don't have any opinion about the negative ttl yet but any advices are
> welcomed.
>
> What about your setups if it looks like mine ?
>
> Regards
>
>
> I typically use an expire time of 14 days or a month.  But that said, you
> need some way to get notified that zone transfers are failing.
> The refresh and retry are ok, but personally I would set them lower
> because they don't generate a lot of traffic, and a notify could get lost.
> It depends on how sensitive you are to extra traffic.
>
> Negative TTL depends partly on how fast you want new (or accidentally
> deleted) records to be usable.  I use 10 minutes.
>
> --
> Bob Harold
>
>

Thanks for mentioning rfc1912.  I just read it again, and the advice is
good.
One update - I think that "minimum" is now used only as the TTL for
NXDOMAIN (domain name does not exist) replies.  The default TTL is set with
a $TTL record (usually at the top of the zone file).

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about: "rate-limit: stop limiting responses to 1.1.1.0/24 for www.example.com"

2018-01-04 Thread Tony Finch 
Tom  wrote:

> Why does this logentry only appears about 60-65 seconds later, after
> I've stopped the "test"-attack (confirmed multiple times..)?

There's a hardcoded cleanup timeout of 60 seconds. The extra is (I think)
due to the time needed to make the token bucket positive.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
German Bight: Cyclonic 3 or 4, increasing 5 or 6, occasionally 7 to severe
gale 9 in far southwest. Moderate, occasionally rough in southwest. Rain or
showers. Good occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users