Bind stats - denied queries?

Karl Pielorz kpielorz_lst at
Tue Dec 1 10:43:33 UTC 2020

--On 30 November 2020 at 08:53:27 -0600 Lyle Giese <lyle at> 

> Be careful 'rejecting' these outright.  These queries are UDP
> traffic(not TCP) and the source address is easily forged.  RRL is the
> correct way to limit these.

So, as the original person that posted the question :)

My question still stands (I'd never presumed this was valid traffic) - what 
I'm trying to find out if buried within the trove of stats produced by 
'rndc stats' is there any counter, that counts:

 Nov 30 00:00:00 client @0xXXXXX X.X.X.X#48536 (.): query (cache) 
'./ANY/IN' denied

i.e. 'Denied' queries. I can see stats for pretty much everything, e.g. 
Queried, notified, all the different record types - there's a block in the 
stats file of:

              749045 queries resulted in nxrrset
                  45 queries resulted in SERVFAIL
               15291 queries resulted in NXDOMAIN

But I was expecting to see something like:

               34343 queries resulted in DENIED

But I can't see it - or anything that's really applicable?

And, as everyone else is talking about RRL - is there a stat that would 
appear for that, e.g.

              234829 queries resulted in RATELIMIT

Or similar?

Currently we're just trying to easily graph the DENIED queries to see how 
much of the total traffic it is.


More information about the bind-users mailing list