Throttling or other issue

ferdinand.vroom · October 16, 2019, 10:52am

We are experiencing issues with the 1.1.1.1 resolver.
We do send a lot of requests. > 180mio a day (24hrs).

We ran a packet capture:
16:14:06.909326 IP (tos 0x0, ttl 128, id 25580, offset 0, flags [none], proto: UDP (17), length: 68) x.x.x.x.55488 > 1.1.1.1.domain: [udp sum ok] 55400+ [1au] A? domainname.nl. ar: . OPT UDPsize=4000 (40)
16:14:08.896795 IP (tos 0x0, ttl 128, id 27591, offset 0, flags [none], proto: UDP (17), length: 68) x.x.x.x.55167 > 1.0.0.1.domain: [udp sum ok] 8746+ [1au] AAAA? domainname.nl. ar: . OPT UDPsize=4000 (40)
16:14:08.905439 IP (tos 0x0, ttl 58, id 38584, offset 0, flags [DF], proto: UDP (17), length: 553) 1.0.0.1.domain > x.x.x.x.55167: 8746$ q: AAAA? domainname.nl. 0/4/1 ns: domainname.nl. SOA[|domain]
16:14:11.129775 IP (tos 0x0, ttl 128, id 25705, offset 0, flags [none], proto: UDP (17), length: 68) x.x.x.x.55488 > 1.1.1.1.domain: [udp sum ok] 55400+ [1au] A? domainname.nl. ar: . OPT UDPsize=4000 (40)

(I changed the zonename to domainname.nl to show it concerned the .nl tld. And I replaced the requesting ip with x.x.x.x)
So it seems that IPV6 requests are still answered…

I searched the community and found:

" [irtefa]
We do not rate limit. You should be able to send 10QPS pretty easily.".

So we do not experience any rate limiting…

Any ideas what’s going on?

sandro · October 16, 2019, 11:01am

Ehm, did I understand you correctly? You are sending more than 2000 requests a second? I am surprised that IP address didnt get blocked yet

There is quite a difference between 10 queries a second and 2000. It was mentioned there is no throttling but I assume this applies to reasonable figures and I am not sure if your usage would still qualify as such, respectively I am sure there is some sort of throttling in place to avoid attacks.

Tagging @irtefa

ferdinand.vroom · October 16, 2019, 11:07am

I am not aware of the exact spread over 24hrs. But we might even exceed the 2000 reqs/ sec…

I would like to know more about the “reasonable figures”. I searched for a fair use policy and found terms that apply to all CloudFlare services but not specifically to the 1.1.1.1 resolver…

The rootcause of this extreme no. of lookups is a SIEM. We tuned it to reduce the total no. of requests with 90 mio…

sandro · October 16, 2019, 11:10am

I am afraid I am not familiar with the exact policies in this context, but the number seems very very large to me and I would not be the least surprised if you ran into some throttling / attack protection with that number of requests.

Can you implement some caching on your end? If not (and should @irtefa confirm it) maybe you could contact sales and they can come up with some custom solution for you.