rate-limit / nxdomains-per-second
Andreas S. Kerber
ask at ag-trek.de
Fri Nov 18 08:52:15 UTC 2022
I've been running with this configuration on some authoritative nameservers for
the last couple of years:
rate-limit {
responses-per-second 100;
errors-per-second 1000;
nxdomains-per-second 1000;
max-table-size 50000;
slip 2;
};
options {
tcp-clients 5000;
}
I understand these definitions are considered rather on the upper end of things.
Every once in a while some rather large query bursts come along and triggers
the NXDOMAIN limit (mostly on random names from google, microsoft or yahoo or cloudflare sources):
17-Nov-2022 21:42:45.196 rate-limit: client @0x7fa3dd9b1950 13.106.140.78#63673 (3uPpY.<somedomain>): rate limit drop NXDOMAIN response to 13.106.140.0/24 for <somedomain> (1c97f572)
As expected this forces them to use tcp instead of udp. This then quickly fills up the available
"tcp-clients" pool. Which is then of course having negative effects for other clients.
Does anyone want to share their take on how to handle such query bursts?
Is anyone using "nxdomains-per-second" experiencing similar things? Since 1000 seems to be the
maximum, I tend to setting it to 0 to avoid filling up the tcp-clients pool.
More information about the bind-users
mailing list