Maintained by: NLnet Labs

Ratelimit misbehavior

Eduardo Schoedler
Fri May 6 02:47:21 CEST 2016


Hi Daisuke,

Thank you for the response.

This same behaviour is occurring to all domains that has being attacked. Do
you think is the same reason (nameservers tango down)?

Regards,

--
Eduardo Schoedler

Em quinta-feira, 5 de maio de 2016, Daisuke HIGASHI <
daisuke.higashi at gmail.com> escreveu:

> Hi, Eduardo:
>
> It seems that all nameservers of "315ye.zj.cn" (ns1.22.cn, ns2.22.cn)
> are completely down and no response; In Unbound "infra" database all
> NS of "315ye.zj.cn"
> should be marked as "rto 120000", which means "not responsible".
>
> $ unbound-control dump_infra | grep 315ye.zj.cn
> 121.12.104.72 315ye.zj.cn. ttl 4 ping 0 var 94 rtt 376 rto 120000 tA 3
> tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
> other 0
> 121.12.104.73 315ye.zj.cn. ttl 0 ping 0 var 94 rtt 376 rto 120000 tA 3
> tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
> other 0
> 218.66.171.136 315ye.zj.cn. ttl 6 ping 0 var 94 rtt 376 rto 120000 tA
> 3 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
> other 0
> 218.66.171.137 315ye.zj.cn. ttl 2 ping 0 var 94 rtt 376 rto 120000 tA
> 3 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
> other 0
>
> In this case Unbound stops resolving names under the zone (returns
> SERVFAIL for user queries) for a while.
>
> Unbound's "ratelimit" feature ratelimits number of queries from
> Unbound to nameservers,
> not from user to Unbound. So my guess is: Unbound should already had
> stopped resolving
> "315ye.zj.cn" because all the NSs are down, so its "ratelimit" feature
> no longer detect
> excessive queries to "315ye.zj.cn" nameservers.
>
> Regards,
> --
>  Daisuke Higashi
>


-- 
Eduardo Schoedler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160505/8ee1ceee/attachment.html>