Randy Bush wrote: > is there any guidance on using mod-rrl on a public server with a > moderate load, say 6kqps? we have rtfm, and remain unsure of > what we are doing. we want cookies, and therefore need to turn > rrl on. but with it turned on, we seem to drop a *lot* of > replies, a lot. > > mod-rrl: > - id: default > rate-limit: 200 > slip: 2
Hi, I'm also interested in this topic. There are some in-depth posts on the CZ.NIC blog about the rate-limiting mechanisms implemented in Knot Resolver 6 and (I believe) Knot DNS 3.4.x: https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-operators-overview/ https://en.blog.nic.cz/2025/02/04/knot-resolver-6-news-dos-protection-technical-solution/ Maybe they could be linked from the Knot DNS mod-rrl documentation. There was also a DNS-OARC presentation recorded here: https://www.youtube.com/watch?v=ZXIysoI10NU I notice there is also an "instant-limit" parameter for mod-rrl [0] which you don't mention setting but that defaults to 125. I wonder what it means for the instant-limit value (125) to be lower than your rate-limit value (200)? It seems like the instant-limit should be set above the rate-limit, but this text from the first post linked above seems to imply that it can be set either above or below: The instant limit is meant to be configured in such a way that a new client gets answers to enough of their queries in a short period of time, according to what is expected to be their normal behavior. The rate limit can then be set to a lower value saying that we accept normal behavior once per several seconds, or to a higher value if we can serve it more frequently. I guess you could do an analysis like recording a trace of DNS queries hitting your server and counting the maximum number of queries sent per time interval, per unique source IP address, perhaps excluding outliers if those outliers look abusive, and then setting the "instant-limit" and "rate-limit" parameters based on that analysis? By "per time interval" I mean, maybe there should be two analyses for a given trace, one of maximum queries sent per 1 ms per unique source IP address (for setting "instant-limit"), and another of maximum queries sent per 1 second per unique source IP address (for setting "rate-limit"). It would be great if the Knot developers could confirm this is a sound way to analyze and set these parameters. [0] https://www.knot-dns.cz/docs/3.4/html/modules.html#instant-limit -- Robert Edmonds edmo...@debian.org --
