On 22/09/2014 11:55, 陈超 wrote: > Dear developers, > > I've recently encountered a problem with the response rate limit of > bind-9.9.5. > > That is,after I configured RRL and started named,I noticed for those > queries,BIND9 would do recursion first,and check the rate limit to decide > whether it should send a response or not,later. > > Could you please tell me why RRL was applied in such a manner?If I really > need to modify the BIND9 implementation to drop all those abused queries > before recursions take place,can I just go ahead,without causing potential > troubles?Is it risky? > > Any kind of advice will be appreciated.Thank you. > > Regards, > > Chao Chen >
This is *response* rate limiting - a recursive server doesn't know what response it should send to the client (if this is a new query for which the answer is not in cache) until it has done recursion. RRL was originally written to solve problems encountered by authoritative server operators. I think you may have a different problem that needs a different solution - possibly DNS RPZ. By default Response Policy behaviour is also to recurse first, although later versions of RPZ have the option 'qname-wait-recurse' that you can use to change this if your policy depends on the query name rather than information that can only be determined from the query response from the authoritative servers. Kind regards, Cathy _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
