Disabling rate-limit?

John Miller johnmill at brandeis.edu
Tue Aug 16 02:26:36 UTC 2016

Hi Blr,

First things first: if your customers are sending queries, this is
probably about their own recursive queries timing out, rather than
incoming authoritative queries timing out.

Something else you should check: are your customers receiving a
delayed (say a few seconds) SERVFAIL response, or are they receiving
no response at all?

There's a different set of options in BIND for recursive rate limiting
versus authoritative rate limiting.

Recursive queries:

* recursive-clients
* clients-per-query
* max-clients-per-query

Running 'rndc status' is a good way to see how close you are to these
limits; you'll see log messages like

"no more recursive clients: quota reached"

There's also a newer set of "recursive client rate-limiting" features
available in newer (9.9 and 9.10) versions of BIND, but I'm pretty
sure this doesn't apply to your case.

Authoritative queries:
IIRC, rate-limiting for authoritative queries (called "Response rate
limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and
required a specific build in BIND 9.9.x.  It's not available in BIND


On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrmaani at gmail.com> wrote:
> I inherited a DNS server which is running BIND 9.8.x. There was a DNS incident where our customers complained that they saw query timeouts intermittently (Our customers run cassandra/hadoop applications and send same queries repeatedly). They also run nscd on their hosts but I was told all have same TTL value of 3600 indicating all names expire at the same time on thousands of client hosts).
>  I tried to reproduce the issue by sending hostname.bind queries and I see logs similar to the one below:
> <time> <client-hostname> named[<pid>]: limit responses to <subnet> for hostname.bind CH TXT <hex-number>
> <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> for hostname.bind CH TXT <hex-number>
> I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am confused because BIND ARM says rate-limit is disabled by default. But logs indicate otherwise.
> ( I did "grep rate /etc/*" and didn't see anything. There are no includes in named.conf)
> Please advice on how I can disable rate-limit on my DNS server.
> I did a strings on 'named' binary and see this:
> strings /usr/sbin/named | egrep -i rrl
> dns_rrl
> dns_rrl_init
> dns_rrl_view_destroy
> What else do I need to check to identify if RRL is enabled?
> Thanks
> Blr
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu
(781) 736-4619

More information about the bind-users mailing list