Hi Thomas,
Bind's RRL drops rate limited responses by default. If you want a similar
configuration for Knot DNS you have to set:
mod-rrl:
- id: default
rate-limit: 5
slip: 0
Another difference is that our RRL starts slowly - it usually passes more
responses than configured.
Please note the "+ignore" option!
$ while true; do date +"second %S"; dig @::1
example.com soa +ignore +time=1
+tries=1 | grep ANSWER; done
second 02
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
...
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 02
second 03
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 03
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 03
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 03
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 03
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 03
second 04
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 04
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 04
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 04
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 04
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 04
second 05
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 05
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 05
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 05
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 05
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
second 05
Best,
Daniel
On 1/28/20 11:31 PM, Thomas Krause wrote:
Hi all,
I migrated from bind to knot. Everything works fine, except rrl.
I "translated" the bind config
rate-limit {
responses-per-second 5;
window 5;
};
to
mod-rrl:
- id: default
rate-limit: 5
slip: 2 # Every other response slips
template:
- id: default
storage: "/etc/knot/zones"
timer-db: "/var/lib/knot/timers"
semantic-checks: on
global-module: mod-rrl/default
But the limiting doesn't work. I testet with
for i in {1..20}; \
do dig @ns +short +tries=1 +time=1 mydomain.de a; \
done
And got 20 answers quickly.
Any ideas what's wrong here?
(I'm unsing ver 2.7.6 @Debian 10)
Best regards,
Thomas.