Disabling rate-limit?

MURTARI, JOHN jm5903 at att.com
Tue Aug 16 12:24:11 UTC 2016 

Blr,

	We do run RRL on some of our servers, example option clause below that activates the feature.  Two suggestions:

1. You mention  you 'inherited' the server and looked at /etc/named.conf -- verify that it is not running chroot to another directory and using another config file (I know it's obvious, but I've been caught several times by this).

2.  I might agree with some of the other responses that think the logging you are seeing is NOT from RRL.   Logging/options from a server running 9.9.8 below.  You can see the lines are tagged with 'rate-limit' :

30-Jul-2016 22:08:12.185 rate-limit: info: stop limiting error responses to 12.109.112.112/28
30-Jul-2016 23:21:07.296 rate-limit: info: limit NXDOMAIN responses to 65.218.138.48/28 for 168.192.IN-ADDR.ARPA  (05bd036f)
30-Jul-2016 23:21:07.296 rate-limit: info: client 65.218.138.57#48702 (153.12.168.192.in-addr.arpa): rate limit slip NXDOMAIN response to 65.218.138.48/28 for 168.192.IN-ADDR.ARPA  (05bd036f)
	
       rate-limit {
                domain                  ".";
                responses-per-second    50;
                window                  15;
                log-only                no;
                qps-scale               35000;
                IPv4-prefix-length      28;
                IPv6-prefix-length      56;
                slip                    2;
                exempt-clients          { 127.0.0.1/32; ....... }
}

John

----------
Message: 6
Date: Mon, 15 Aug 2016 20:23:17 -0700 (PDT)
From: blrmaani <blrmaani at gmail.com>
To: comp-protocols-dns-bind at isc.org
Subject: Re: Disabling rate-limit?
Message-ID: <b0daf19e-721f-43bf-aa68-14418c94739d at googlegroups.com>
Content-Type: text/plain; charset=UTF-8

>From tcpdump, it appears that customers are receiving delayed response and are too sensitive for timeouts. 

The queries they are sending are authoritative i.e the zone is on our nameserver. 

How do I trouble-shoot this issue? This is really intermittent and hard to reproduce..

thanks
Blr

On Monday, August 15, 2016 at 7:27:44 PM UTC-7, John Miller wrote:
> Hi Blr,
> 
> First things first: if your customers are sending queries, this is
> probably about their own recursive queries timing out, rather than
> incoming authoritative queries timing out.
> 
> Something else you should check: are your customers receiving a
> delayed (say a few seconds) SERVFAIL response, or are they receiving
> no response at all?
> 
> There's a different set of options in BIND for recursive rate limiting
> versus authoritative rate limiting.
> 
> Recursive queries:
> 
> * recursive-clients
> * clients-per-query
> * max-clients-per-query
> 
> Running 'rndc status' is a good way to see how close you are to these
> limits; you'll see log messages like
> 
> "no more recursive clients: quota reached"
> 
> There's also a newer set of "recursive client rate-limiting" features
> available in newer (9.9 and 9.10) versions of BIND, but I'm pretty
> sure this doesn't apply to your case.
> 
> Authoritative queries:
> https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html
> IIRC, rate-limiting for authoritative queries (called "Response rate
> limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and
> required a specific build in BIND 9.9.x.  It's not available in BIND
> 9.8.x.
> 
> John
> 
> On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrmaani at gmail.com> wrote:
> > I inherited a DNS server which is running BIND 9.8.x. There was a DNS incident where our customers complained that they saw query timeouts intermittently (Our customers run cassandra/hadoop applications and send same queries repeatedly). They also run nscd on their hosts but I was told all have same TTL value of 3600 indicating all names expire at the same time on thousands of client hosts).
> >
> >  I tried to reproduce the issue by sending hostname.bind queries and I see logs similar to the one below:
> >
> > <time> <client-hostname> named[<pid>]: limit responses to <subnet> for hostname.bind CH TXT <hex-number>
> > <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> for hostname.bind CH TXT <hex-number>
> >
> >
> > I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am confused because BIND ARM says rate-limit is disabled by default. But logs indicate otherwise.
> >
> > ( I did "grep rate /etc/*" and didn't see anything. There are no includes in named.conf)
> >
> > Please advice on how I can disable rate-limit on my DNS server.
> >
> >
> > I did a strings on 'named' binary and see this:
> >
> > strings /usr/sbin/named | egrep -i rrl
> > dns_rrl
> > dns_rrl_init
> > dns_rrl_view_destroy
> >
> > What else do I need to check to identify if RRL is enabled?
> >
> >
> > Thanks
> > Blr
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> -- 
> John Miller
> Systems Engineer
> Brandeis University
> johnmill at brandeis.edu
> (781) 736-4619



------------------------------

Subject: Digest Footer

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

------------------------------

End of bind-users Digest, Vol 2466, Issue 1
*******************************************

More information about the bind-users mailing list