RRL settings that work for you
Mike Hoskins (michoski)
michoski at cisco.com
Tue May 26 21:00:40 UTC 2015
Hi folks,
I've read about RRL with interest since its inception, but just now
getting around to rolling it out. That is partially because we run a very
small authoritative infrastructure serving mostly as Akamai EDNS origins.
However, since it is exposed externally, used by a few tenants and RRL has
been running in the wild for awhile now...we decided to finally hop on the
bandwagon as part of our latest round of DNS infrastructure upgrades.
We are experimenting in log-only mode, and wanted to get feedback on
settings which work well for others in production. So far we have the
following which appears to work well (not limiting typical clients during
normal operation):
rate-limit {
log-only yes;
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
nxdomains-per-second 10;
exempt-clients {
[...]
};
};
However, as we've mostly just been turning knobs in an attempt to minimize
log entries... insight from operators is appreciated.
Thanks!
More information about the bind-users
mailing list