Hi Vernone >> Has anyone an idea what the source of this traffic pattern is? It's also >> interesting to note that quite a lot of 2nd-level queries result in >> NXDOMAIN responses. > > Which RRL implementation are you using? If it is the BIND9 RRL > implementation, then how are the NXDOMAIN responses evading that limit?
I'm using the current BIND9 9.8.4 RPZ+RRL patch. It's completely evading DNS-RRL on the tld-nameserver where a lot of different query-names and the RCODE is NOERROR. On the 2nd-level name-server the MX query rate is only about 120 qps. I guess it's too few queries to trigger my "generous" DNS-RRL config. I have response-per-second 20. For example, within 15 minutes 81 different query-names are sent. The domain which is queried the most is used 186 times within 15 minutes. That's way below the DNS-RRL config threshold. However, it's nothing which concerns me. As said, the abusive traffic on the 2nd-level names-server is quite low. On the tld name-server it was different. Sorry, that I was not clear on that. Daniel _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
