something about rrl

Cathy Almond cathya at isc.org
Wed Sep 24 07:59:23 UTC 2014


On 22/09/2014 11:55, 陈超 wrote:
> Dear developers,
> 
> I've recently encountered a problem with the response rate limit of bind-9.9.5.
> 
> That is,after I configured RRL and started named,I noticed for those queries,BIND9 would do recursion first,and check the rate limit to decide whether it should send a response or not,later.
> 
> Could you please tell me why RRL was applied in such a manner?If I really need to modify the BIND9 implementation to drop all those abused queries before recursions take place,can I just go ahead,without causing potential troubles?Is it risky?
> 
> Any kind of advice will be appreciated.Thank you.
> 
> Regards, 
> 
> Chao Chen
> 

This is *response* rate limiting - a recursive server doesn't know what
response it should send to the client (if this is a new query for which
the answer is not in cache) until it has done recursion.

RRL was originally written to solve problems encountered by
authoritative server operators.  I think you may have a different
problem that needs a different solution - possibly DNS RPZ.

By default Response Policy behaviour is also to recurse first, although
later versions of RPZ have the option 'qname-wait-recurse' that you can
use to change this if your policy depends on the query name rather than
information that can only be determined from the query response from the
authoritative servers.

Kind regards,

Cathy



More information about the bind-users mailing list