RRL outcome on legitimate traffic...
Lyle Giese
lyle at lcrcomputer.net
Tue Dec 1 16:20:26 UTC 2020
Probably best to ask Paul Vixie for confirmation<GRIN>.
I had implemented RRL when it was still an addon and that was what was
documented back then.
On 12/1/20 10:15 AM, Karl Pielorz wrote:
>
>
> --On 1 December 2020 at 08:24:50 -0600 Lyle Giese
> <lyle at lcrcomputer.net> wrote:
>
>> You need to look at the reply named sends when it trips and starts
>> limiting UDP traffic source from a given IP address. It tells the
>> requestor to try again using TCP instead of UDP.
>>
>> So if the requestor is a legit dns server, it will retry using TCP and
>> still get a valid answer.
>>
>> Named does not blindly just drop traffic.
>
> Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to
> stop sending responses).
>
> Documentation for rate-limit seemed a bit patchy e.g. KB aa-00994
> references to "See ARM 6.2.15" - which doesn't exist. In fact a lot of
> the KB documents reference Bind 9.9 - and things have moved on.
>
> But I can see it's better explained in the current ARM / Section
> 4.2.14.19 now.
>
> In fact, that entry also covers/says "Legitimate clients react to
> dropped or truncated response by retrying with UDP or with TCP
> respectively" - looks like it documents where these are in stats as
> well (RateDropped / QryDropped et'al) - so I think I'm good to go.
>
> -Karl
>
More information about the bind-users
mailing list