<div dir="ltr"><font color="#000000" style="background-color:rgb(255,255,255)"><span style="font-size:14px">Hello everyone,</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">I
am currently trying to set up a rate-limiting config and I have a few
questions about how Dynblocks and Packet policies rules work :</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">When an IP is inserted in a DynBlockRule, an action is automatically given to the query for some time.</span><br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">Instead
of dropping/truncating every query, I would like to have the
possibility to drop/truncate 50% for the queries coming from this
abusive IP. Is this currently possible to do so?</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">It
looks like it's possible to come close to this behavior using
MaxQPSIPRule(10,24,48) and dropping the queries matching this rule.</span><br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">Here, the abusive source would still be able to query at a 10 qps rate, and the rest of the queries would be dropped.</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">I would also like to have the same behaviour for queries by RCODE[1] and QNAMEs[2]:</span><br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">[1] : I would like to allow a source to have 10 NXDOmains/s, and drop the rest of the NXDOmain queries from this source.</span><br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">[2] : I would like to allow 10 queries per second for a single source on a same domain, then drop the rest.</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">From
what I understand, DynBlocks are the only way to count responses with a
specific RCodes, and I'm wondering if there is a way to have Dynblock
not dropping/truncating every query (would LuaActions do the trick ?),
or setting up custom rules to have some sort of MaxQPSRule limiting
subnets abusing NXDOmains/SERVFAIL/REFUSED.</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">Last question : Will Dynblocks be able to deal with subnets instead of IPs in the future?</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">I'm not sure wether Dynblocks or QPSRules are the best to fit my needs.</span><br style="box-sizing:border-box;font-size:14px">
<br style="box-sizing:border-box;font-size:14px">
<span style="font-size:14px">Best regards</span><br style="box-sizing:border-box;font-size:14px">
<span class="gmail-highlight-text" style="box-sizing:border-box;margin:0px;padding:2px;vertical-align:baseline;border:0px solid;font-size:14px;border-radius:15px">Thibaud</span></font><br></div>