Bugzilla – Bug 598
Last modified: 2018-08-21 11:30:44 CEST
How can we calculate the rrl-size?
How it is spent?
Now, with suspiciously small number of locks is a lot of errors "bucket collision" -
mamonov@ns2:~$ grep -c "ratelimit block" /var/log/nsd.log.1
mamonov@ns2:~$ grep -c "bucket collision" /var/log/nsd.log.1
mamonov@ns2:~$ grep -c "ratelimit block" /var/log/nsd.log
mamonov@ns2:~$ grep -c "bucket collision" /var/log/nsd.log
It have very little information in nsd.conf.sample and http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ .
And unthinkingly increase rll-size not good.
Too much hash should result whith overspending memory and performance degradation.
Now we have 4.0.4, default rrl-size - 1000000 and rrl-ipv4-prefix-length: 32.
For your case I would increase the rrl-size by 10x.
You have the prefix length set to 32bits, but the default is 24bits. With 24bits there would be less collisions. But perhaps you wanted more details in the ratelimits (for some reason)? The /24 is because that is a network that likely shares the same upstream pipe (and DNS resolver).
But why 10x?
Between 32bits and 24bits the difference is not 10x.
We want to drop and etc. only attacks ip, not all subnet.
Because we use rrl-ipv4-prefix-length - 32.
The 10x is an estimate. Then you can look at the logs again.
It is using a lot more of the rrl to keep track of the non-blocked traffic, i.e. how many packets per second for them. That is where you are getting the collisions from, not (so much) from the rrl entries used to block.