response-rate-limiting - "window" explained?

Tom tomtux007 at
Fri Jan 5 16:21:57 UTC 2018

I've tested several "window"-values (5-3600) with fast-querying the 
nameserver from one single client with always the same query. As 
explained by Tony the "window" means the time, which the client must 
wait, after he stops fast-querying the nameserver while he was 
successfully dropped.

In my tests, I never had to wait for about more than about 5s.
I've configured rate-limits like this:
        rate-limit {
                 responses-per-second 5;
                 slip 0;
                 window 5;
                 log-only no; };

Could someone explain the problem here? Why do I never have to wait 
longer than about 5s until I'm able to query the nameserver from the 
unique client with the same query again?

Many thanks.
Kind regards,

On 03/27/2017 11:33 AM, Tony Finch wrote:
> Tom <tomtux007 at> wrote:
>> Can someone explain the behaviour of "window" in the rate-limit-context?
> It basically determines the time after a client that was querying very
> fast but then stopped is allowed to receive responses again.
> When a client repeats a query, its counter is decremented until it reaches
> the minimum `-1 * window * responses-per-second`. Its counter is
> incremented by `responses-per-second` each second, so after the client
> stops querying it will be `window` seconds before the counter becomes
> positive which means the client is allowed to receive responses again.
> Tony.

More information about the bind-users mailing list