Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Tony Finch <dot@dotat.at>
Newsgroups: comp.protocols.dns.bind
Subject: Re: DNS_RRL_MAX_RATE defines 1000
Date: Thu, 9 Jul 2020 19:11:44 +0100
Lines: 22
Approved: bind-users@lists.isc.org
Message-ID: <mailman.686.1594318279.942.bind-users@lists.isc.org>
References: <f498fc56-e9f9-43a7-96f9-a85623fb1505@Spark> <b450df44-f9dd-4abd-a178-b816eb5cb28e@Spark> <alpine.DEB.2.20.2007081639280.9145@grey.csi.cam.ac.uk> <4633dc0e-7ad1-45f8-a0c0-351e08ad05d3@Spark> <alpine.DEB.2.20.2007091906130.29885@grey.csi.cam.ac.uk>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Trace: usenet.stanford.edu 1594318314 28965 149.20.1.60 (9 Jul 2020 18:11:54 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bind-users@lists.isc.org
To: Zhiyong Cheng <chengzhycn@gmail.com>
Return-Path: <dot@dotat.at>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
In-Reply-To: <4633dc0e-7ad1-45f8-a0c0-351e08ad05d3@Spark>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
X-Spam-Status: No, score=-0.8 required=5.0 tests=KAM_LAZY_DOMAIN_SECURITY, KAM_NUMSUBJECT,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,SPF_NONE autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <alpine.DEB.2.20.2007091906130.29885@grey.csi.cam.ac.uk>
X-Mailman-Original-References: <f498fc56-e9f9-43a7-96f9-a85623fb1505@Spark> <b450df44-f9dd-4abd-a178-b816eb5cb28e@Spark> <alpine.DEB.2.20.2007081639280.9145@grey.csi.cam.ac.uk> <4633dc0e-7ad1-45f8-a0c0-351e08ad05d3@Spark>
Xref: csiph.com comp.protocols.dns.bind:15963

Zhiyong Cheng <chengzhycn@gmail.com> wrote:
>
> We are using named cluster in our internal network as the authoritative
> DNS. So there are no cache servers between clients and named cluster.
> Maybe we should add one but it is just another story.

Sorry, I wasn't completely clear: I was not saying that your authoritative
servers should have a cache. I was saying that all the legitimate clients
of your servers (the resolvers at ISPs areound the Internet) have caches.

> To my mind the RRL should not limit queries with different qnames from
> the same client. So is it my misunderstanding or wrong config?

If you are querying for nonexistent names then RRL will treat the NXDOMAIN
responses as equivalent, so it will rate-limit them. RRL limits responses,
not queries. You can configure a different `nxdomains-per-second` limit if
you want.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Rockall, Malin: Northwest 4 or 5. Moderate. Showers. Good.