Logging of rate-limited queries way too talkative
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sun Sep 29 14:18:48 UTC 2013
I'm trying RRL on the new BIND 9.9.4.
When RRL steps in, if I understand the documentation properly, two
things are logged, a summary of the beginning and end of RRL, and one
message per rejected query (!) Since RRL is used when there is an
attack, there are *many* such messages. Worse, the default behavior of
BIND aggravates the attack by filling the disk.
>From the ARM, I find no way to prevent these annoying messages,
except shutting down all query errors logging. Here is my best config
so far:
logging {
channel rrl_channel {
file "rrl.log" versions 3 size 10m;
print-time yes;
print-category yes;
};
# Prints begin and end of rate-limiting
category rate-limit {
rrl_channel;
};
# Individual requests rejected
category query-errors {
null;
};
};
But it is too harsh, since all query errors are sent to null.
More information about the bind-users
mailing list