RRL settings that work for you

Noel Butler noel.butler at ausics.net
Wed May 27 05:38:35 UTC 2015


On 27/05/2015 07:00, Mike Hoskins (michoski) wrote: 

> Hi folks,
> I've read about RRL with interest since its inception, but just now
> getting around to rolling it out. That is partially because we run a very
> small authoritative infrastructure serving mostly as Akamai EDNS origins.
> However, since it is exposed externally, used by a few tenants and RRL has
> been running in the wild for awhile now...we decided to finally hop on the
> bandwagon as part of our latest round of DNS infrastructure upgrades.
> We are experimenting in log-only mode, and wanted to get feedback on
> settings which work well for others in production. So far we have the
> following which appears to work well (not limiting typical clients during
> normal operation):
> rate-limit {
> log-only yes;
> ipv4-prefix-length 32;
> window 10;
> responses-per-second 20;
> nxdomains-per-second 10;
> exempt-clients {
> [...]
> };
> };
> However, as we've mostly just been turning knobs in an attempt to minimize
> log entries... insight from operators is appreciated.

Looks good, its pretty close to what I use, however one thing to
consider (maybe you have) is the ipv6 prefix, its default from memory is
56, in Australia, the typical assignments for those few ISP's issuing
IPv6, is /64, so I set "ipv6-prefix-length 64", but depends on
geographic's I suppose, maybe if your traffic is mostly U.S. and if the
average U.S. ISP dishes out /56's, it doesn't matter much to change it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150527/5f59bd16/attachment.html>

More information about the bind-users mailing list