Hi Blr, First things first: if your customers are sending queries, this is probably about their own recursive queries timing out, rather than incoming authoritative queries timing out.
Something else you should check: are your customers receiving a delayed (say a few seconds) SERVFAIL response, or are they receiving no response at all? There's a different set of options in BIND for recursive rate limiting versus authoritative rate limiting. Recursive queries: * recursive-clients * clients-per-query * max-clients-per-query Running 'rndc status' is a good way to see how close you are to these limits; you'll see log messages like "no more recursive clients: quota reached" There's also a newer set of "recursive client rate-limiting" features available in newer (9.9 and 9.10) versions of BIND, but I'm pretty sure this doesn't apply to your case. Authoritative queries: https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html IIRC, rate-limiting for authoritative queries (called "Response rate limiting" or "RRL") wasn't enabled by default until BIND 9.10.x, and required a specific build in BIND 9.9.x. It's not available in BIND 9.8.x. John On Mon, Aug 15, 2016 at 9:22 PM, blrmaani <blrma...@gmail.com> wrote: > I inherited a DNS server which is running BIND 9.8.x. There was a DNS > incident where our customers complained that they saw query timeouts > intermittently (Our customers run cassandra/hadoop applications and send same > queries repeatedly). They also run nscd on their hosts but I was told all > have same TTL value of 3600 indicating all names expire at the same time on > thousands of client hosts). > > I tried to reproduce the issue by sending hostname.bind queries and I see > logs similar to the one below: > > <time> <client-hostname> named[<pid>]: limit responses to <subnet> for > hostname.bind CH TXT <hex-number> > <time> <client-hostname> named[<pid>]: *stop limiting responses to <subnet> > for hostname.bind CH TXT <hex-number> > > > I reviewed /etc/named.conf and do not see 'rate-limit' configuration. I am > confused because BIND ARM says rate-limit is disabled by default. But logs > indicate otherwise. > > ( I did "grep rate /etc/*" and didn't see anything. There are no includes in > named.conf) > > Please advice on how I can disable rate-limit on my DNS server. > > > I did a strings on 'named' binary and see this: > > strings /usr/sbin/named | egrep -i rrl > dns_rrl > dns_rrl_init > dns_rrl_view_destroy > > What else do I need to check to identify if RRL is enabled? > > > Thanks > Blr > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- John Miller Systems Engineer Brandeis University johnm...@brandeis.edu (781) 736-4619 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
