From Newsgroup: comp.protocols.dns.bind

--5f056c0e_3a95f874_17b03
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi, all

I deployed a cluster of DNS which combined with a master and two slaves r= ecently. I opened the response rate limiting function in slaves, which pa= rameters like below:

rate-limit =7B
=C2=A0=C2=A0 =C2=A0ipv4-prefix-length 32;
=C2=A0=C2=A0 =C2=A0responses-per-second 250;
=C2=A0=C2=A0 =C2=A0all-per-second 1000;
=C2=A0=C2=A0 =C2=A0min-table-size 1000000;
=C2=A0=C2=A0 =C2=A0max-table-size 5000000;
=C2=A0=C2=A0 =C2=A0log-only no;
=C2=A0=7D;

But even with this configuration, there were still some dns queries dropp=
ed cause the RRL. I viewed the rrl.h and noticed the max rrl rate are def=
ined like this:

=23define DNS=5FRRL=5FMAX=5FRATE 1000

And =22all-rer-second=E2=80=9D shouldn=E2=80=99t larger than DNS=5FRRL=5F= MAX=5FRATE.

So could anybody tell me why DNS=5FRRL=5FMAX=5FRATE defined 1000=3F And i=
s there any other methods to bypass this limits=3F

Thanks and Regards, Zhiyong Cheng

--5f056c0e_3a95f874_17b03
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html xmlns=3D=22http://www.w3.org/1999/xhtml=22>
<head>
<title></title>
</head>
<body>
<div name=3D=22messageBodySection=22>
<div dir=3D=22auto=22>Hi, all<br />
<br />
I deployed a cluster of DNS which combined with a master and two slaves r= ecently. I opened the response rate limiting function in slaves, which pa= rameters like below:<br />
<br />
rate-limit =7B<br />
&=23160;&=23160; &=23160;ipv4-prefix-length 32;<br />
&=23160;&=23160; &=23160;responses-per-second 250;<br />
&=23160;&=23160; &=23160;all-per-second 1000;<br />
&=23160;&=23160; &=23160;min-table-size 1000000;<br />
&=23160;&=23160; &=23160;max-table-size 5000000;<br />
&=23160;&=23160; &=23160;log-only no;<br />
&=23160;=7D;<br />
<br />
But even with this configuration, there were still some dns queries dropp=
ed cause the RRL. I viewed the rrl.h and noticed the max rrl rate are def=
ined like this:<br />
<br />
=23define DNS=5FRRL=5FMAX=5FRATE 1000<br />
<br />
And =22all-rer-second=E2=80=9D shouldn=E2=80=99t larger than DNS=5FRRL=5F= MAX=5FRATE.&=23160;<br />
<br />
So could anybody tell me why DNS=5FRRL=5FMAX=5FRATE defined 1000=3F And i=
s there any other methods to bypass this limits=3F&=23160;<br />
<br />
Thanks and Regards, Zhiyong Cheng</div>
</div>
</body>
</html>

--5f056c0e_3a95f874_17b03--

--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

--1870870841-1705721839-1594223138=:9145
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

=E7=A8=8B=E6=99=BA=E5=8B=87 <chengzhycn@gmail.com> wrote:

So could anybody tell me why DNS_RRL_MAX_RATE defined 1000?

RRL is designed for authoritative DNS servers. Legitimate queries come
from recursive resolvers with caches. There should not be more than one
query for each RRset from each resolver per TTL. So a normal response rate limit is relatively small - I set it to 10.

If you are hitting 1000 queries per second, that implies either there
are 1000 resolvers behind one IP address (which is VERY unlikely); or the
query traffic is abusive.

Are you sure the dropped traffic is legitimate?

Tony.
--=20
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Channel Islands: West to southwest 4 to 5, occasionally 6 mid-channel
overnight and Thursday morning, occasionally west to northwest 2 to 4 in th=
e
far south of the area. Slight to moderate with a low swell, perhaps occasionally rather rough mid-channel until late morning. Occasional mist a=
nd
fog, especially overnight rain and drizzle at times, especially from Thursd=
ay
morning. Moderate to poor or very poor, locally good at times. --1870870841-1705721839-1594223138=:9145--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--5f069129_1eba5d23_17b03
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Thanks for this reply : )

We are using named cluster in our internal network as the authoritative D=
NS. So there are no cache servers between clients and named cluster. Mayb=
e we should add one but it is just another story.

There was a strange thing when I tested RRL using queryperf.=C2=A0=C2=A0I=
generated 10000 qnames to test.txt and every qname queried once. The que= ryperf=E2=80=99s output pastes below:

Statistics:

=C2=A0Parse input file: once
=C2=A0Ended due to: reaching end of file

=C2=A0Queries sent: 10000 queries
=C2=A0Queries completed: 9820 queries
=C2=A0Queries lost: 180 queries
=C2=A0Queries delayed(=3F): 0 queries

=C2=A0RTT max: 0.009435 sec
=C2=A0RTT min: 0.000072 sec
=C2=A0RTT average: 0.000503 sec
=C2=A0RTT std deviation: 0.000785 sec
=C2=A0RTT out of range: 0 queries

=C2=A0Percentage completed: 98.20%
=C2=A0Percentage lost: 1.80%

=C2=A0Started at: Thu Jul 9 11:16:03 2020
=C2=A0=46inished at: Thu Jul 9 11:16:48 2020
=C2=A0Ran for: 45.300412 seconds

=C2=A0Queries per second: 216.775070 qps

The named rate-limiting logs pastes below:

09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44ed190 10.0.= 0.10=2338722 (anvq.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4414020 10.0.= 0.10=2338722 (anwi.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4518840 10.0.= 0.10=2338722 (anvf.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4552680 10.0.= 0.10=2338722 (anvx.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44dea00 10.0.= 0.10=2338722 (anwa.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4487ca0 10.0.= 0.10=2338722 (anva.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4405890 10.0.= 0.10=2338722 (anwg.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4526fd0 10.0.= 0.10=2338722 (anvr.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b446ad80 10.0.= 0.10=2338722 (anvs.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4430f40 10.0.= 0.10=2338722 (anvh.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44227b0 10.0.= 0.10=2338722 (anvj.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b450a0b0 10.0.= 0.10=2338722 (anvm.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44a4bc0 10.0.= 0.10=2338722 (anwe.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4496430 10.0.= 0.10=2338722 (anwh.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32

To my mind the RRL should not limit queries with different qnames from th=
e same client. So is it my misunderstanding or wrong config=3F

BIND version pastes below:

version: BIND 9.11.4-P2 (Extended Support Version) <id:7107deb>
=E5=9C=A8 2020=E5=B9=B47=E6=9C=888=E6=97=A5 +0800 PM11:45=EF=BC=8CTony =46= inch <dot=40dotat.at>=EF=BC=8C=E5=86=99=E9=81=93=EF=BC=9A

=E7=A8=8B=E6=99=BA=E5=8B=87 <chengzhycn=40gmail.com> wrote:

So could anybody tell me why DNS=5FRRL=5FMAX=5FRATE defined 1000=3F

RRL is designed for authoritative DNS servers. Legitimate queries come
from recursive resolvers with caches. There should not be more than one=

query for each RRset from each resolver per TTL. So a normal response r=

ate

limit is relatively small - I set it to 10.

If you are hitting 1000 queries per second, that implies either there
are 1000 resolvers behind one IP address (which is VERY unlikely); or t=

he

query traffic is abusive.

Are you sure the dropped traffic is legitimate=3F

Tony.
--
f.anthony.n.finch <dot=40dotat.at> http://dotat.at/
Channel Islands: West to southwest 4 to 5, occasionally 6 mid-channel overnight and Thursday morning, occasionally west to northwest 2 to 4 i=

n the

far south of the area. Slight to moderate with a low swell, perhaps occasionally rather rough mid-channel until late morning. Occasional mi=

st and

fog, especially overnight rain and drizzle at times, especially from Th=

ursday

morning. Moderate to poor or very poor, locally good at times.

--5f069129_1eba5d23_17b03
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html xmlns=3D=22http://www.w3.org/1999/xhtml=22>
<head>
<title></title>
</head>
<body>
<div name=3D=22messageBodySection=22>
<div dir=3D=22auto=22>Thanks for this reply : )<br />
<br />
We are using named cluster in our internal network as the authoritative D=
NS. So there are no cache servers between clients and named cluster. Mayb=
e we should add one but it is just another story.<br />
<br />
There was a strange thing when I tested RRL using queryperf.&=23160;&=231=
60;I generated 10000 qnames to test.txt and every qname queried once. The=
queryperf=E2=80=99s output pastes below:<br />
<br />
Statistics:<br />
<br />
&=23160;Parse input file: once<br />
&=23160;Ended due to: reaching end of file<br />
<br />
&=23160;Queries sent: 10000 queries<br />
&=23160;Queries completed: 9820 queries<br />
&=23160;Queries lost: 180 queries<br />
&=23160;Queries delayed(=3F): 0 queries<br />
<br />
&=23160;RTT max: 0.009435 sec<br />
&=23160;RTT min: 0.000072 sec<br />
&=23160;RTT average: 0.000503 sec<br />
&=23160;RTT std deviation: 0.000785 sec<br />
&=23160;RTT out of range: 0 queries<br />
<br />
&=23160;Percentage completed: 98.20%<br />
&=23160;Percentage lost: 1.80%<br />
<br />
&=23160;Started at: Thu Jul 9 11:16:03 2020<br />
&=23160;=46inished at: Thu Jul 9 11:16:48 2020<br />
&=23160;Ran for: 45.300412 seconds<br />
<br />
&=23160;Queries per second: 216.775070 qps<br />
<br />
The named rate-limiting logs pastes below:<br />
<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44ed190 10.0.= 0.10=2338722 (anvq.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4414020 10.0.= 0.10=2338722 (anwi.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4518840 10.0.= 0.10=2338722 (anvf.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4552680 10.0.= 0.10=2338722 (anvx.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44dea00 10.0.= 0.10=2338722 (anwa.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4487ca0 10.0.= 0.10=2338722 (anva.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4405890 10.0.= 0.10=2338722 (anwg.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4526fd0 10.0.= 0.10=2338722 (anvr.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b446ad80 10.0.= 0.10=2338722 (anvs.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4430f40 10.0.= 0.10=2338722 (anvh.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44227b0 10.0.= 0.10=2338722 (anvj.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b450a0b0 10.0.= 0.10=2338722 (anvm.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b44a4bc0 10.0.= 0.10=2338722 (anwe.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
09-Jul-2020 11:16:54.055 rate-limit: info: client =400x7f83b4496430 10.0.= 0.10=2338722 (anwh.internal): view xxxx: rate limit drop all response to = 10.0.0.10/32<br />
<br />
To my mind the RRL should not limit queries with different qnames from th=
e same client. So is it my misunderstanding or wrong config=3F&=23160;<br=

<br />
BIND version pastes below:<br />
<br />
version: BIND 9.11.4-P2 (Extended Support Version) &lt;id:7107deb&gt;</di=

</div>
<div name=3D=22messageReplySection=22>=E5=9C=A8 2020=E5=B9=B47=E6=9C=888=E6= =97=A5 +0800 PM11:45=EF=BC=8CTony =46inch &lt;dot=40dotat.at&gt;=EF=BC=8C= =E5=86=99=E9=81=93=EF=BC=9A<br />
<blockquote type=3D=22cite=22 style=3D=22border-left-color: grey; border-= left-width: thin; border-left-style: solid; margin: 5px 5px;padding-left:=
10px;=22>=E7=A8=8B=E6=99=BA=E5=8B=87 &lt;chengzhycn=40gmail.com&gt; wrot= e:<br />
<blockquote type=3D=22cite=22><br />
So could anybody tell me why DNS=5FRRL=5FMAX=5FRATE defined 1000=3F<br />= </blockquote>
<br />
RRL is designed for authoritative DNS servers. Legitimate queries come<br=

from recursive resolvers with caches. There should not be more than one<b=
r />
query for each RRset from each resolver per TTL. So a normal response rat=
e<br />
limit is relatively small - I set it to 10.<br />
<br />
If you are hitting 1000 queries per second, that implies either there<br =

are 1000 resolvers behind one IP address (which is VERY unlikely); or the=
<br />
query traffic is abusive.<br />
<br />
Are you sure the dropped traffic is legitimate=3F<br />
<br />
Tony.<br />
--<br />
f.anthony.n.finch &lt;dot=40dotat.at&gt; http://dotat.at/<br />
Channel Islands: West to southwest 4 to 5, occasionally 6 mid-channel<br =

overnight and Thursday morning, occasionally west to northwest 2 to 4 in = the<br />
far south of the area. Slight to moderate with a low swell, perhaps<br />=

occasionally rather rough mid-channel until late morning. Occasional mist=
and<br />
fog, especially overnight rain and drizzle at times, especially from Thur= sday<br />
morning. Moderate to poor or very poor, locally good at times.</blockquot=

</div>
</body>
</html>

--5f069129_1eba5d23_17b03--

--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

Zhiyong Cheng <chengzhycn@gmail.com> wrote:

We are using named cluster in our internal network as the authoritative
DNS. So there are no cache servers between clients and named cluster.
Maybe we should add one but it is just another story.

Sorry, I wasn't completely clear: I was not saying that your authoritative servers should have a cache. I was saying that all the legitimate clients
of your servers (the resolvers at ISPs areound the Internet) have caches.

To my mind the RRL should not limit queries with different qnames from
the same client. So is it my misunderstanding or wrong config?

If you are querying for nonexistent names then RRL will treat the NXDOMAIN responses as equivalent, so it will rate-limit them. RRL limits responses,
not queries. You can configure a different `nxdomains-per-second` limit if
you want.

Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Rockall, Malin: Northwest 4 or 5. Moderate. Showers. Good.
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

--5f085bed_3222e7cd_17b03
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=E5=9C=A8 2020=E5=B9=B47=E6=9C=8810=E6=97=A5 +0800 AM2:11=EF=BC=8CTony =46= inch <dot=40dotat.at>=EF=BC=8C=E5=86=99=E9=81=93=EF=BC=9A

Zhiyong Cheng <chengzhycn=40gmail.com> wrote:

We are using named cluster in our internal network as the authoritati=

ve

DNS. So there are no cache servers between clients and named cluster.=

Maybe we should add one but it is just another story.

Sorry, I wasn't completely clear: I was not saying that your authoritat=

ive

servers should have a cache. I was saying that all the legitimate clien=

ts

of your servers (the resolvers at ISPs areound the Internet) have cache=

s.

All of these authoritative servers are only serve for our private clients=
. So
there won't have ISPs' resolvers.

I read the Bv9ARM again and noticed a hint in it:

=C2=A0This mechanism is intended for authoritative DNS servers. It can be=
used on
=C2=A0ecursive servers but can slow applications such as SMTP servers (ma=
il
=C2=A0receivers) and HTTP clients (web browsers) that repeatedly request =
the same
=C2=A0domains. When possible, closing =22open=22 recursive servers is bet=
ter.

So it implies that I just should not use RRL in my authoritative servers.=

Because all clients in my IDC internal queries my authoritative servers directly. But RRL is not for this scenes.

To my mind the RRL should not limit queries with different qnames fro=

m

the same client. So is it my misunderstanding or wrong config=3F

If you are querying for nonexistent names then RRL will treat the NXDOM=

AIN

responses as equivalent, so it will rate-limit them. RRL limits respons=

es,

not queries. You can configure a different =60nxdomains-per-second=60 l=

imit if

you want.

That=E2=80=99s it=21=C2=A0=C2=A0All of my queries are treated as equivale=
nt. Thanks for your
patience :)

Tony.
--
f.anthony.n.finch <dot=40dotat.at> http://dotat.at/
Rockall, Malin: Northwest 4 or 5. Moderate. Showers. Good.

Zhiyong Cheng

--5f085bed_3222e7cd_17b03
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html xmlns=3D=22http://www.w3.org/1999/xhtml=22>
<head>
<title></title>
</head>
<body>
<div name=3D=22messageReplySection=22>
<div dir=3D=22auto=22>=E5=9C=A8 2020=E5=B9=B47=E6=9C=8810=E6=97=A5 +0800 = AM2:11=EF=BC=8CTony =46inch &lt;dot=40dotat.at&gt;=EF=BC=8C=E5=86=99=E9=81= =93=EF=BC=9A</div>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>Zhiyong Cheng &lt;chengzhycn=40g= mail.com&gt; wrote:</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid;=22=

<blockquote style=3D=22border-left-color: rgb(230, 126, 34); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22><br /></blockquote>
</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid;=22=

<blockquote style=3D=22border-left-color: rgb(230, 126, 34); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>We are using named cluster in ou=
r internal network as the authoritative</blockquote>
</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid;=22=

<blockquote style=3D=22border-left-color: rgb(230, 126, 34); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>DNS. So there are no cache serve=
rs between clients and named cluster.</blockquote>
</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid;=22=

<blockquote style=3D=22border-left-color: rgb(230, 126, 34); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>Maybe we should add one but it i=
s just another story.</blockquote>
</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22><br /></blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>Sorry, I wasn't completely clear=
: I was not saying that your authoritative</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>servers should have a cache. I w=
as saying that all the legitimate clients</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>of your servers (the resolvers a=
t ISPs areound the Internet) have caches.</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22><br /></blockquote>
<div dir=3D=22auto=22>All of these authoritative servers are only serve f=
or our private clients. So<br />
there won't have ISPs' resolvers.&=23160;<br />
<br />
I read the Bv9ARM again and noticed a hint in it:<br />
<br />
&=23160;This mechanism is intended for authoritative DNS servers. It can =
be used on<br />
&=23160;ecursive servers but can slow applications such as SMTP servers (= mail<br />
&=23160;receivers) and HTTP clients (web browsers) that repeatedly reques=
t the same<br />
&=23160;domains. When possible, closing =22open=22 recursive servers is b= etter.<br />
<br />
So it implies that I just should not use RRL in my authoritative servers.= &=23160;<br />
Because all clients in my IDC internal queries my authoritative servers<b=
r />
directly. But RRL is not for this scenes.<br /></div>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid;=22=

<blockquote style=3D=22border-left-color: rgb(230, 126, 34); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>To my mind the RRL should not li=
mit queries with different qnames from</blockquote>
</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid;=22=

<blockquote style=3D=22border-left-color: rgb(230, 126, 34); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>the same client. So is it my mis= understanding or wrong config=3F</blockquote>
</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22><br /></blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>If you are querying for nonexist=
ent names then RRL will treat the NXDOMAIN</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>responses as equivalent, so it w=
ill rate-limit them. RRL limits responses,</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>not queries. You can configure a=
different =60nxdomains-per-second=60 limit if</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>you want.</blockquote>
<div dir=3D=22auto=22><br />
That=E2=80=99s it=21&=23160;&=23160;All of my queries are treated as equi= valent. Thanks for your<br />
patience :)<br /></div>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22><br /></blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>Tony.</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>--</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>f.anthony.n.finch &lt;dot=40dota= t.at&gt; http://dotat.at/</blockquote>
<blockquote style=3D=22border-left-color: rgb(26, 188, 156); margin: 0px;=
padding-left: 10px; border-left-width: thin; border-left-style: solid; p= adding-bottom: 5px; padding-top: 5px;=22>Rockall, Malin: Northwest 4 or 5=
. Moderate. Showers. Good.</blockquote>
<div dir=3D=22auto=22><br />
Zhiyong Cheng<br /></div>
</div>
</body>
</html>

--5f085bed_3222e7cd_17b03--

--- Synchronet 3.18a-Linux NewsLink 1.113