> From: Noel Butler <noel.but...@ausics.net> > I have been using this since 9.9.4bx, and although documentation is/was > lacking at the time, so there might be a whitelisting somewhere , but in > its absence, I highly advise against using RRL if your mail servers use > those DNS servers
I believe there been no significant changes to the RRL documentation since long before any versions BIND 9.9.4. BIND RRL has had whitelisting for trusted DNS clients that send repeated DNS requests since early days, long before any version of BIND 9.9.4. Look for 'exempt-clients{address_match_list};' in either the ARM that comes with 9.9.4 or via the old link labeled "Draft text for BIND9 Administrators Reference Manual (ARM) describing DNS Response Rate Limiting (RRL)" on the original ratelimits web page at http://www.redbarn.org/dns/ratelimits [ rate-limit { ... [ exempt-clients { address_match_list } ; ] ... } ; ] ... DNS clients within a view can be exempted from rate limits with the exempt-clients clause. RRL is not recommend for recursive DNS servers, because in theory it could squelch repeated requests from legitimate DNS clients without caches such as some SMTP servers. However, I do not recall reports of significant real, as opposed to anticipated or minor problems with RRL on recursive DNS servers. The worst that should happen is that legitimate clients will be slowed, such as SMTP servers (mail receivers) receiving spews of spam or SMTP clients (mail senders) spewing spam or without required DNSBL whitelisting. A legitimate DNS client that is squelched by RRL will time-out every other repeated request and (with the default SLIP=2) retry with TCP. What problems did you see with your mail system and your recursive DNS server with RRL? Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users