<div style="font-family: Arial, sans-serif; font-size: 14px;"></div><span style="line-height:1.5">Hello,</span><div style="line-height:1.5"><br></div><div style="line-height:1.5">We would like to use DNSdist to block traffics that exceeds a QPS limit and we have configured the following as test:</div><div style="line-height:1.5"><br></div><div style="line-height:1.5"><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">local dbr = dynBlockRulesGroup()</span><div><br></div><div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">dbr:setQueryRate(5, 1, "Exceeded query rate", 60)</span></div><div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60)</span></div><div><br></div><div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">function maintenance()</span></div><div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt"> dbr:apply()</span></div><div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">end</span></div><span></span><br></div><div style="line-height:1.5">However, when we do 10 queries with the following command, all 10 requests still goes through successfully:</div><div style="line-height:1.5"><span><br></span></div><div style="line-height:1.5"><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">for a in {0..10}; do dig -t a <DOMAIN> @<DNSdist_IP> +short; done</span><br></div><div style="line-height:1.5"><br></div><div style="line-height:1.5">From the console, we can see that the client has been detected and is listed in the blocklist but still the 10 queries has gone through even though we have limited it to 5.</div><div style="line-height:1.5"><br><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">> showDynBlocks()</span><div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt">What Seconds Blocks Warning Action Reason</span></div><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt"><DNSdist_IP>/32 56 0 false Drop Exceeded query rate</span><br></div><div style="line-height:1.5"><span style="line-height:normal;font-family:Menlo, Consolas, "Courier New", monospace;font-size:9pt"><br style="line-height:1.5"></span></div><div style="line-height:1.5;font-family:system-ui, sans-serif">Is there a way we can immediately drop the connection after reaching max 5 queries per second as defined in the config? This is the same case with the ANY requests restriction.</div><div style="line-height:1.5;font-family:system-ui, sans-serif"><br></div><span style="line-height:1.5;font-family:system-ui, sans-serif">Thanks,</span><div class="protonmail_signature_block" style="font-family: Arial, sans-serif; font-size: 14px;"><div class="protonmail_signature_block-proton">
</div>
</div>