<div dir="ltr"><div dir="ltr">
<div dir="ltr"><div>Hi Remi,</div><div><br></div><div>Thanks for the quick feedback, it's really appreciated.<br></div><br><div>My first idea was to exclude domains when setQTypeRate matched, <br><div>Your explanation is clear, I cannot.<br></div><div><br></div><div>Here is my alternative to do that.<br></div><div><br></div><div> -- list of client ip to block during 60s<br></div></div><div style="margin-left:40px">blacklistedIPs=TimedIPSetRule()<br>addAction(blacklistedIPs:slice(), RCodeAction(DNSRCode.REFUSED))<br><br>local function blacklistIP(dq)</div><div style="margin-left:40px"> blacklistedIPs:add(dq.remoteaddr, 60) <br> return DNSAction.Refused<br>end</div><div style="margin-left:40px"><br></div><div style="margin-left:40px">-- list of trusted domains where the rate limiting is not applied<br></div><div style="margin-left:40px">trusted_domains = newSuffixMatchNode()<br>trusted_domains:add(newDNSName("<a href="http://google.fr" target="_blank">google.fr</a>."))</div><div style="margin-left:40px"><br></div><div style="margin-left:40px">-- Rate limiting for TXT and CNAME qtypes only<br></div><div style="margin-left:40px">addAction(AndRule({ MaxQPSIPRule(5, 32, 64, 5), OrRule({QTypeRule(DNSQType.TXT), QTypeRule(DNSQType.CNAME))}), NotRule(SuffixMatchNodeRule(trusted_domains, true)) }), SetTagAction('dynamic_block', 'match'))</div><div style="margin-left:40px">addAction(TagRule('dynamic_block'), DnstapLogAction("dynamic_block", fstl))</div><div style="margin-left:40px">addAction(TagRule('dynamic_block'), LuaAction(blacklistIP))</div></div><div><br></div><div>regards,<br></div><div>denis</div>
</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 12, 2023 at 1:16 PM Remi Gacogne via dnsdist <<a href="mailto:dnsdist@mailman.powerdns.com">dnsdist@mailman.powerdns.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Denis,<br>
<br>
On 12/07/2023 12:24, Denis MACHARD via dnsdist wrote:<br>
> How to exclude some domains with the dynamic block feature <br>
> (dynBlockRulesGroup),<br>
> Is it possible ? The documentation is not clear on this, if anyone has <br>
> an example.<br>
<br>
We should document this more clearly, there are two types of rules in a <br>
DBRG:<br>
<br>
- setQueryRate, setRCodeRate, setRCodeRatio, setQTypeRate and <br>
setResponseByteRate work by looking at the queries and responses present <br>
in the ring buffers grouped by client IP, so they can decide to apply an <br>
action on a given IP. Therefore the excludeRange, includeRange <br>
directives apply to these rules to allowlist and denylist some IPs/ranges.<br>
<br>
- setSuffixMatchRule and setSuffixMatchRuleFFI work by looking at the <br>
responses present in the ring buffers grouped by subdomains, so they can <br>
decide to apply an action on a given domain or subdomain. Therefore the <br>
excludeDomains directive apply to these rules to prevent a domain and <br>
its children from being blocked.<br>
<br>
So you cannot exclude an IP or a range from <br>
setSuffixMatchRule/setSuffixMatchRuleFFI, and neither can you exclude a <br>
domain from the other rules.<br>
<br>
I hope that helps!<br>
<br>
Best regards,<br>
-- <br>
Remi Gacogne<br>
PowerDNS.COM BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><br>
_______________________________________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
</blockquote></div></div>