On Feb 10, 2015, at 1:44 PM, Jim Martin <[email protected]> wrote: > This is certainly not our intention for legitimate queries, but as > others have stated, very likely a side effect of running RRL. Are you seeing > this anytime you get 5 NXDOMAINs/s (on any query), or anytime you get 5 > NXDOMAINs/s for the same query? If it’s only when you’re asking the exact > same question over and over (as your example code indicates), it may not be > easily distinguishable from attack behaviour. > > I’ll have some of my team look into it and get back to you. Thanks for > bringing this up!
It sounds like a bad configuration for RRL at f-root, given the replies below that they are unique queries (which would make sense from a caching resolver). If it is that easy to make a bad RRL configuration by (highly) experienced operators, it suggests that the configuration names and documentation are inadequate. Please strongly consider having ISC-f talk to ISC-BIND about the admin interface for RRL, including possible warnings for clearly bad configurations. --Paul Hoffman
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
