[dnsdist] dbr:setRCodeRate - DNSRCode.NXDOMAIN not working with packetcache
Remi Gacogne
remi.gacogne at powerdns.com
Fri May 15 08:13:03 UTC 2020
Hi Dave,
On 5/15/20 9:31 AM, Dave Strydom via dnsdist wrote:
> I've picked up a strange issue in 1.4 where the
>
> dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
>
> rate limit seems to be ignored if the packet cache is enabled and only
> the dbr:setQueryRate triggers.
> The moment I disable the packet cache, the NXDOMAIN rate limiting works.
> [...]> Is this an issue or is this by design?
The short answer is that this is by design, as responses served from the
cache are not hurting the backend.
The long answer is that the dynamic blocks are generated from the last N
entries kept in our query and response ring buffers. While queries are
always inserted to the query ring buffer, answers served from the packet
cache are not, because we mostly care about the answers received from
our backend but also because we wanted the packet cache hit path to be
as fast as possible. So these answers are not visible when determining
whether a client exceeded a trigger based on the content of responses.
I guess we could make it possible to add cache hit answers to the
response ring buffer at some cost, but we would have to check that it
does not have any unforeseen impact in other parts of the code.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200515/93795fd5/attachment-0001.sig>
More information about the dnsdist
mailing list