7 Bře
2025
7 Bře
'25
19:03
is there any guidance on using mod-rrl on a public server with a
moderate load, say 6kqps? we have rtfm, and remain unsure of
what we are doing. we want cookies, and therefore need to turn
rrl on. but with it turned on, we seem to drop a *lot* of
replies, a lot.
mod-rrl:
- id: default
rate-limit: 200
slip: 2
randy
7 Bře
7 Bře
20:38
On Fri, 7 Mar 2025, Randy Bush wrote:
we want cookies, and therefore need to turn rrl on.
I read the docs differently.
"For effective module operation the RRL module must also be enabled and
configured after Cookies."
"If the Cookies module is active, RRL is not applied for responses with
a valid DNS cookie."
So RRL requires cookies but cookies is not required for RRL.
20:41
On Fri, 7 Mar 2025, Jeremy C. Reed wrote:
On Fri, 7 Mar 2025, Randy Bush wrote:
I meant: but cookies does not require RRL.
we want cookies, and therefore need to turn rrl
on.
I read the docs differently.
"For effective module operation the RRL module must also be enabled and
configured after Cookies."
"If the Cookies module is active, RRL is not applied for responses with
a valid DNS cookie."
So RRL requires cookies but cookies is not required for RRL.
20:53
cookies module says in bright red
Warning
For effective module operation the RRL module must also be enabled.
and, as aspiring good netizens, we are happy to try to reduce reflection
off our server. but not when it drops goodput massively.
randy
21:13
Randy Bush wrote:
is there any guidance on using mod-rrl on a public
server with a
moderate load, say 6kqps? we have rtfm, and remain unsure of
what we are doing. we want cookies, and therefore need to turn
rrl on. but with it turned on, we seem to drop a *lot* of
replies, a lot.
mod-rrl:
- id: default
rate-limit: 200
slip: 2
Hi,
I'm also interested in this topic.
There are some in-depth posts on the CZ.NIC blog about the rate-limiting
mechanisms implemented in Knot Resolver 6 and (I believe) Knot DNS 3.4.x:
https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-opera…
https://en.blog.nic.cz/2025/02/04/knot-resolver-6-news-dos-protection-techn…
Maybe they could be linked from the Knot DNS mod-rrl documentation.
There was also a DNS-OARC presentation recorded here:
https://www.youtube.com/watch?v=ZXIysoI10NU
I notice there is also an "instant-limit" parameter for mod-rrl [0]
which you don't mention setting but that defaults to 125. I wonder
what it means for the instant-limit value (125) to be lower than your
rate-limit value (200)? It seems like the instant-limit should be set
above the rate-limit, but this text from the first post linked above
seems to imply that it can be set either above or below:
The instant limit is meant to be configured in such a way that a
new client gets answers to enough of their queries in a short period
of time, according to what is expected to be their normal behavior.
The rate limit can then be set to a lower value saying that we
accept normal behavior once per several seconds, or to a higher
value if we can serve it more frequently.
I guess you could do an analysis like recording a trace of DNS queries
hitting your server and counting the maximum number of queries sent per
time interval, per unique source IP address, perhaps excluding outliers
if those outliers look abusive, and then setting the "instant-limit" and
"rate-limit" parameters based on that analysis?
By "per time interval" I mean, maybe there should be two analyses for
a given trace, one of maximum queries sent per 1 ms per unique source
IP address (for setting "instant-limit"), and another of maximum
queries sent per 1 second per unique source IP address (for setting
"rate-limit"). It would be great if the Knot developers could confirm
this is a sound way to analyze and set these parameters.
[0] https://www.knot-dns.cz/docs/3.4/html/modules.html#instant-limit
--
Robert Edmonds
edmonds(a)debian.org
8 Bře
8 Bře
8:44
Randy,
First, what is your Knot DNS version?
What do Knot/RRL logs look like?
You can use mod-cookies without mod-rrl, but this setup doesn't provide
defense against reflection attacks. Please keep in mind that DNS cookies
are OPTIONAL, so attackers wouldn't use them! The only benefit is that
resolvers know, if they use cookies, that responses originate from your Knot.
Daniel
On 3/7/25 19:03, Randy Bush wrote:
is there any guidance on using mod-rrl on a public
server with a
moderate load, say 6kqps? we have rtfm, and remain unsure of
what we are doing. we want cookies, and therefore need to turn
rrl on. but with it turned on, we seem to drop a *lot* of
replies, a lot.
mod-rrl:
- id: default
rate-limit: 200
slip: 2
randy
--
1
days inactive
2
days old
5 comments
4 participants
participants (4)
-
Daniel Salzman -
Jeremy C. Reed -
Randy Bush -
Robert Edmonds