[dnsdist] setDynBlocksWarningAction(action) or something equal?
Fredrik Pettai
pettai at sunet.se
Mon Feb 19 21:25:34 UTC 2024
Hi,
Sometimes I try to see how “open” resolvers handles abusive clients...
It seems that one way of handling them, is to answering with the TC flag after a bunch of queries that ends up as NXDOMAIN or SERVFAIL replies.
Now, https://dnsdist.org/guides/dynblocks.html is the simples way of configuring such rules in DNSdist,
but it seems to be only one “global” Action that can be set (defaults to Drop) by the setDynBlocksAction(action) function.
I would like to be able to set a less harsh “action" at the warning level, like some the “open” resolvers seem to do.
So first at the “warning” threshold, do one type of action (could be DNSAction.Truncate etc, which isn’t harmful to “real” clients)
and then if the client still continues and cross the “hard" threshold, then perform setDynBlocksAction() (probably Drop)
One way to simplify that, could be if a new setDynBlocksWarningAction(action) was added.
But, perhaps there a way to express this in Lua in the maintenance task already?
If so, how would that be written in the most cost-effective way?
Thanks,
/P
More information about the dnsdist
mailing list