Rate-limiting - working? How to test?

2014-01-17 Thread John Horne 

Hello,

I have BIND 9.9.4 installed on a server, and have included in the global 
options:


rate-limit { responses-per-second 5;
  log-only yes;
};

However, if I run from a client:

for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a 
@141.163.66.138; done


I get 10 correct responses. The query log file on the server shows that 
10 queries were received:


   17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 
(jhorne.csd.plymouth.ac.uk): view plymouth-only: query: 
jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138)


(The other 9 log entries are the same, except for the milliseconds 
increasing slightly.)


It's Friday afternoon, so I'm probably missing something obvious :-) I 
cannot see why all the queries were responded to, I expected some 
queries to timeout and something to be logged (none of the other bind 
logs contain anything about rate limiting).




Thanks,

John.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rate-limiting - working? How to test?

2014-01-17 Thread Stephane Bortzmeyer 
On Fri, Jan 17, 2014 at 01:34:00PM +,
 John Horne john.ho...@plymouth.ac.uk wrote 
 a message of 40 lines which said:

   log-only yes;

From the ARM:

Use commandlog-only yes/command to test rate limiting parameters
without actually dropping any requests.

 I get 10 correct responses.

It makes sense.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rate-limiting - working? How to test?

2014-01-17 Thread Rich Goodson 
John,

log-only yes;

is the reason you are not seeing any rate limiting.  You are telling your 
server not to actually do any rate limiting, just to log what it would have 
done.  You didn’t post any more of your named.conf, but I would assume you 
don’t have any logging set up for rate limiting, so you don’t see any of that 
either.

You need a rate-limit log stanza to see rate limiting information (rate 
limiting from IP address, no longer limiting from IP address, etc), and the 
individual queries that are not responded to are logged either in your querylog 
or query-errors (can’t remember which off the top of my head).

-Rich

On Jan 17, 2014, at 7:34 AM, John Horne john.ho...@plymouth.ac.uk wrote:

 Hello,
 
 I have BIND 9.9.4 installed on a server, and have included in the global 
 options:
 
rate-limit { responses-per-second 5;
  log-only yes;
};
 
 However, if I run from a client:
 
for n in `seq 1 10`; do dig +short jhorne.csd.plymouth.ac.uk a 
 @141.163.66.138; done
 
 I get 10 correct responses. The query log file on the server shows that 10 
 queries were received:
 
   17-Jan-2014 13:20:43.662 client 141.163.66.139#55184 
 (jhorne.csd.plymouth.ac.uk): view plymouth-only: query: 
 jhorne.csd.plymouth.ac.uk IN A + (141.163.66.138)
 
 (The other 9 log entries are the same, except for the milliseconds increasing 
 slightly.)
 
 It's Friday afternoon, so I'm probably missing something obvious :-) I cannot 
 see why all the queries were responded to, I expected some queries to timeout 
 and something to be logged (none of the other bind logs contain anything 
 about rate limiting).
 
 
 
 Thanks,
 
 John.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rate-limiting - working? How to test?

2014-01-17 Thread John Horne 

On 17/01/14 14:22, Rich Goodson wrote:

  You need a rate-limit log stanza to see rate limiting information 
(rate limiting from IP address, no longer
 limiting from IP address, etc), and the individual queries that are 
not responded to are logged either in
 your querylog or query-errors (can’t remember which off the top of my 
head).


Yup, that was it :-) I had no 'query-errors' logging set up. I now see 
the queries being rate-limited (or they would be if I removed/changed 
the 'log-only' option.)



Thanks,

John.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users