Re: Rate-limiting - working? How to test?
On 17/01/14 14:22, Rich Goodson wrote: > You need a rate-limit log stanza to see rate limiting information (rate limiting from IP address, no longer > limiting from IP address, etc), and the individual queries that are not responded to are logged either in > your querylog or query-errors (can’t remember which off the top of my head). > Yup, that was it :-) I had no 'query-errors' logging set up. I now see the queries being rate-limited (or they would be if I removed/changed the 'log-only' option.) Thanks, John. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Rate-limiting - working? How to test?
John, "log-only yes;" is the reason you are not seeing any rate limiting. You are telling your server not to actually do any rate limiting, just to log what it would have done. You didn’t post any more of your named.conf, but I would assume you don’t have any logging set up for rate limiting, so you don’t see any of that either. You need a rate-limit log stanza to see rate limiting information (rate limiting from IP address, no longer limiting from IP address, etc), and the individual queries that are not responded to are logged either in your querylog or query-errors (can’t remember which off the top of my head). -Rich On Jan 17, 2014, at 7:34 AM, John Horne wrote: > Hello, > > I have BIND 9.9.4 installed on a server, and have included in the global > options: > >rate-limit { responses-per-second 5; > log-only yes; >}; > > However, if I run from a client: > >for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a > @141.163.66.138; done > > I get 10 correct responses. The query log file on the server shows that 10 > queries were received: > > 17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 > (jhorne.csd.plymouth.ac.uk): view plymouth-only: query: > jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138) > > (The other 9 log entries are the same, except for the milliseconds increasing > slightly.) > > It's Friday afternoon, so I'm probably missing something obvious :-) I cannot > see why all the queries were responded to, I expected some queries to timeout > and something to be logged (none of the other bind logs contain anything > about rate limiting). > > > > Thanks, > > John. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Rate-limiting - working? How to test?
On Fri, Jan 17, 2014 at 01:34:00PM +, John Horne wrote a message of 40 lines which said: > log-only yes; >From the ARM: Use log-only yes to test rate limiting parameters without actually dropping any requests. > I get 10 correct responses. It makes sense. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Rate-limiting - working? How to test?
Hello, I have BIND 9.9.4 installed on a server, and have included in the global options: rate-limit { responses-per-second 5; log-only yes; }; However, if I run from a client: for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a @141.163.66.138; done I get 10 correct responses. The query log file on the server shows that 10 queries were received: 17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 (jhorne.csd.plymouth.ac.uk): view plymouth-only: query: jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138) (The other 9 log entries are the same, except for the milliseconds increasing slightly.) It's Friday afternoon, so I'm probably missing something obvious :-) I cannot see why all the queries were responded to, I expected some queries to timeout and something to be logged (none of the other bind logs contain anything about rate limiting). Thanks, John. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users