I've got a lab-server running pdns-recursor. I set it up to experiment with rate limiting, so it has been resolving requests openly from the whole internet for weeks. My idea was that sooner or later it would get abused, giving me a real user case to experiment with.

To keep track of the usage I set up nagios to monitor the number of concurrent-queries to the server.

Today I got notice from nagios that my specified limit had been reached.

I logged in to start trimming away the malicious questions I was expecting, however, when I started looking at it I couldn't see the expected traffic.

What I found is that even though I have over 20 concurrent-queries registered by the server I see no requests in the logs. The following command describes the situation well:

$ sudo rec_control get concurrent-queries; sudo rec_control top-remotes
22
Over last 0 queries:

How can there be 22 concurrent-queries when the server has 0 queries registered?

EDIT:

Figured it out!

To get top-remotes working I needed to set

#################################
# remotes-ringbuffer-entries    maximum number of packets to store statistics for
#
remotes-ringbuffer-entries=100000

It defaults to 0 storing no information to base top-remotes statistics on.