RRL outcome on legitimate traffic...

Karl Pielorz kpielorz_lst at tdx.co.uk
Tue Dec 1 16:15:54 UTC 2020

--On 1 December 2020 at 08:24:50 -0600 Lyle Giese <lyle at lcrcomputer.net> 

> You need to look at the reply named sends when it trips and starts
> limiting UDP traffic source from a given IP address.  It tells the
> requestor to try again using TCP instead of UDP.
> So if the requestor is a legit dns server, it will retry using TCP and
> still get a valid answer.
> Named does not blindly just drop traffic.

Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to stop 
sending responses).

Documentation for rate-limit seemed a bit patchy e.g. KB aa-00994 
references to "See ARM 6.2.15" - which doesn't exist. In fact a lot of the 
KB documents reference Bind 9.9 - and things have moved on.

But I can see it's better explained in the current ARM / Section 

In fact, that entry also covers/says "Legitimate clients react to dropped 
or truncated response by retrying with UDP or with TCP respectively" - 
looks like it documents where these are in stats as well (RateDropped / 
QryDropped et'al) - so I think I'm good to go.


More information about the bind-users mailing list