<div dir="ltr">Hi Remi,<div><br></div><div>Thanks for your insight ... </div><div><br></div><div>Regards,</div><div>brian</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 16, 2019 at 9:29 AM Remi Gacogne <<a href="mailto:remi.gacogne@powerdns.com">remi.gacogne@powerdns.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 8/16/19 3:04 PM, Brian Sullivan wrote:<br>
> Yes my bad ... I missed that. Just a thought, next time the<br>
> documentation is updated, Section 5.1.1 Examples and Section 15.6 Rules<br>
> for traffic exceeding QPS limits could both use a note that it is UDP<br>
> only. Since it is such a simple action, I didn't even look at the<br>
> reference. <br>
<br>
Yeah, it's on us, sorry about that.<br>
I see Frank has already opened a pull request to fix that, thanks a lot!<br>
<br>
> What do you think of this alternative, I could use the same MaxQPSIPRule<br>
> rule and tag the query and pass it along to the recursor. In a lua<br>
> script I could check the tag and add a delay. I need to read up on it ..<br>
> but I am assuming the lua processing is multithreaded? I could also add<br>
> a second MaxQPSIPRule with a higher qps value and add a DropAction to<br>
> protect the recursor. <br>
<br>
Hmm, no, you can't block in a Lua script. That wouldn't be too bad in<br>
1.3.x for TCP connections, since a thread only handled one connection at<br>
a time, but in 1.4.0 a single thread can handle a lot of TCP<br>
connnections at once so we can't afford to block there.<br>
It's a bit more complicated in the recursor but basically you can't<br>
block there either.<br>
<br>
I'm afraid I don't really have a solution to offer if you want to delay<br>
the response over TCP, sorry :-/ We should probably fix that since I<br>
assume that people might want to delay over DoT or DoH too.<br>
<br>
Best,<br>
-- <br>
Remi Gacogne<br>
PowerDNS BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><br>
<br>
_______________________________________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p><span></span><span><img src="https://docs.google.com/uc?export=download&id=0BzPp9aRH66f2d2JzS2ZRUHl6dEE&revid=0BzPp9aRH66f2SHFsTEhtT3JZUGs3aWwxY0MzSEF0VEJNVFJrPQ" width="200" height="50"> </span></p><p><span><span><font color="#666666">Brian M. Sullivan<br>Senior Staff Security Intelligence Engineer</font><br><font color="#0000ff"><a href="mailto:bsullivan@lookout.com" target="_blank">bsullivan@lookout.com</a></font> | <font color="#0000ff"><a href="http://www.lookout.com" target="_blank">www.lookout.com</a></font><font color="#666666"><br></font></span></span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>