Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
Hesed2014-11-22 18:59:33
Domain Name System
Hesed, 2014-11-22 18:59:33

How to calculate rate-limit for recursive Bind?

Given a recursive (of course, for a specific network, not an open resolver) Bind version 9.10.1. All parameters related to RRL are described in detail in the documentation , however, the calculation of specific values ​​\u200b\u200bis done by clicking.

/* текущая конфигурация */
rate-limit {
    ipv4-prefix-length 32;
    window 10;
    responses-per-second 20;
    errors-per-second 5;
    nxdomains-per-second 5;
    slip 2;
    exempt-clients {
        192.168.4.0/24;
    };
};

Explanations:
  • ipv4-prefix-length 32 - segmentation to individual user, not /24 subnets as default.
  • errors-per-second 5 and nxdomains-per-second 5 - there is no need for more frequent SERVFAIL or NXDOMAIN responses .
  • exempt-clients - exemptions for the service network.
  • responses-per-second 20 to window 10 seconds is the magic itself. These values ​​were calculated by monitoring the logs and catching legitimate requests that fall under the RRL. With default values, requests from:
    • Torrent clients
    • Smart TV (especially LG)
    • Various web applications that talk heavily to the CDN

So far, trying to figure out the correct values ​​for responses-per-second and window has led me to sit in Wireshark, monitoring and looking at requests. Perhaps there is some other, more optimal and proven way?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
B
brutal_lobster, 2014-11-22
@Hesed

Do you need RRL? Will clients be happy if their dns requests fail because of a magic number on the server? Are you an ISP? What difference does it make to you how many requests I send?)
The main purpose of RRL is to limit dns-amplification attacks on authoritative servers. This is weakly related to the recursor, except in the case of records with a minimum ttl. Your link mentions it.
And so - read about the methods of building a baseline in general.
You collect dumps by dns requests with the same tcpdump, using tshark you count the number of requests for each oypi with different windows.
Or you can write a script to process the bind query-log. Maybe even already there is such a script :) You
process the result like a bindgraph and look at nice graphs.

Similar questions
O
Oleg Nerwin2018-06-14 21:54:37
How to prevent giving AAAA records of some resources? 1Reply
T
Terehoff2013-06-18 13:53:54
Is it possible to distribute different A-records to clients from different regions? 6Reply
D
Dmitry Bravikov2016-02-10 08:15:59
How are the IP addresses of computers determined by their names on a local network? 2Reply
I
icsy2016-02-11 02:47:19
Hide MX record? 2Reply
M
martensit2018-06-28 19:03:17
What API request can be used to change DNS records for a domain on gandi.net? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question