[c-nsp] rate limit dns
Gert Doering
gert at greenie.muc.de
Fri Jan 3 07:19:28 EST 2014
Hi,
On Fri, Jan 03, 2014 at 11:57:31AM +0000, Phil Mayers wrote:
> It would be interesting to see some real-world numbers on this, to see
> if it is a win or not. As I say, my gut says no, but gut != proof ;o)
Well, my "real world" numbers on FreeBSD+unbound+pf are: if I enable
state tracking in pf, it will about double CPU usage.
The system in question did not have much CPU to spare, so this led to
DNS queries sometimes being dropped, which resulted in poor user
experience.
(The change to keep state was not intentional - it came as a side effect
of a FreeBSD update, I think 6->7, which changed the default in pf.conf
from 'no state' to 'keep state', if not specified explicitely)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140103/8a190801/attachment.sig>
More information about the cisco-nsp
mailing list