about NSD query rate limiting
[root@localhost ~]# cat /etc/fedora-release
Fedora release 18 (Spherical Cow)
[root@localhost ~]# uname -ri
3.8.8-202.fc18.x86_64 x86_64
|
install NSD over yum
[root@localhost ~]# yum install -y nsd
|
[root@localhost ~]# nsd -v
NSD version 3.2.15
Written by NLnet Labs.
Copyright (C) 2001-2011 NLnet Labs. This is free software.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
|
configuration file
[root@localhost ~]# cd /etc/nsd/
[root@localhost nsd]# ls
nsd.conf
|
seen from man “nsd.conf” , fedora’s nsd package has been compiled with --enable-ratelimit.
man nsd.conf
server option
rrl-size: <numbuckets>
This option gives the size of the hashtable. Default 1000000.
More buckets use more memory, and reduce the chance of hash col‐
lisions.
rrl-ratelimit: <qps>
The max qps allowed (from one query source). Default 200 qps. If
set to 0 then it is disabled (unlimited rate), also set the
whilelist-ratelimit to 0 to disable ratelimit processing. If
you set verbosity to 2 the blocked and unblocked subnets are
logged. Blocked queries are blocked and some receive TCP fall‐
back replies.
rrl-whitelist-ratelimit: <qps>
The max qps for query sorts for a source, which have been
whitelisted. Default 2000 qps. With the rrl-whitelist option you
can set specific queries to receive this qps limit instead of
the normal limit. With the value 0 the rate is unlimited.
zone option
rrl-whitelist: <rrltype>
This option causes queries of this rrltype to be whitelisted,
for this zone. They receive the whitelist-ratelimit. You can
give multiple lines, each enables a new rrltype to be
whitelisted for the zone. Default has none whitelisted. The rrl‐
type is the query classification that the NSD RRL employs to
make different types not interfere with one another. The types
are logged in the loglines when a subnet is blocked (in ver‐
bosity 2). The RRL classification types are: nxdomain, error,
referral, any, rrsig, wildcard, nodata, dnskey, positive, all.
|
nsd.conf
NSD is serving one zone “foo.com”
# egrep -v "#" nsd.conf | grep -v ^$
server:
ip4-only: yes
server-count: 1
pidfile: "/var/run/nsd/nsd.pid"
database: /var/lib/nsd/nsd.db
zone:
name: "foo.com"
zonefile: "/etc/nsd/zone_files/foo.com.db"
|
# dig @127.1 www.foo.com
; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-10.P2.fc18 <<>> @127.1 www.foo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37147
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.foo.com. IN A
;; ANSWER SECTION:
www.foo.com. 60 IN A 127.0.0.1
;; AUTHORITY SECTION:
foo.com. 60 IN NS ns1.foo.com.foo.com.
foo.com. 60 IN NS ns2.foo.com.foo.com.
|
configure rate limit.
# egrep -v "#" nsd.conf | grep -v ^$
server:
hide-version: yes
verbosity: 2
ip4-only: yes
server-count: 1
pidfile: "/var/run/nsd/nsd.pid"
rrl-ratelimit: 10
rrl-whitelist-ratelimit: 100
database: /var/lib/nsd/nsd.db
zone:
name: "foo.com"
zonefile: "/etc/nsd/zone_files/foo.com.db"
rrl-whitelist: nxdomain
rrl-whitelist: nodata
|
NSD blocked
Apr 26 02:38:54 localhost nsd[1797]: ratelimit block www.foo.com. type positive target 192.168.11.0/24
Apr 26 02:39:23 localhost nsd[1797]: ratelimit unblock www.foo.com. type positive target 192.168.11.0/24
|
as for whitelist query type ( “nxdomain” and ”nodate” ) , NSD will block query if qps is over 100.
[ when qps is under 100. NSD does not block ]
send 50 NXDOMAIN QPS
all queries succeed.
# dnsperf -s 192.168.11.42 -d query_list.txt -Q 50 -l 100
Statistics:
Queries sent: 500
Queries completed: 500 (100.00%)
Queries lost: 0 (0.00%)
Response codes: NXDOMAIN 500 (100.00%)
Average packet size: request 28, response 79
Run time (s): 10.000201
Queries per second: 49.998995
Average Latency (s): 0.000400 (min 0.000245, max 0.001611)
Latency StdDev (s): 0.000061
|
no logs
[ when qps is over 100. NSD blocked ]
send 200 NXDOMAIN QPS. NSD blocked.
# dnsperf -s 192.168.11.42 -d query_list.txt -Q 200 -l 10
Statistics:
Queries sent: 810
Queries completed: 610 (75.31%)
Queries lost: 200 (24.69%)
Response codes: NXDOMAIN 610 (100.00%)
Average packet size: request 28, response 63
Run time (s): 10.000159
Queries per second: 60.999030
Average Latency (s): 0.000431 (min 0.000094, max 0.002196)
Latency StdDev (s): 0.000257
|
NSD blocked.
Apr 26 02:41:47 localhost nsd[1797]: ratelimit block foo.com. type nxdomain(whitelisted) target 192.168.11.0/24
|