[dnsdist] DnsDist Disable TCP

bert hubert bert.hubert at netherlabs.nl
Wed Sep 2 07:16:29 UTC 2015


On Wed, Sep 02, 2015 at 09:58:10AM +0300, Burak Ozalp wrote:
> I did pull and make a clean install. However, in new branch,
> dnsdist.1 file was removed.For that reason, i had the following
> error while make;

Can you run ./populate? If this solves it I know what I need to do.

> newServer{address="8.8.8.8", qps=5}
> Then i test with DNS flood attack, and i assumed that the max answer
> query per second is 5. Bu it wasn't. What is the main purpose of qps
> limit? Is it for forwarding queries?

This is meant if you have multiple servers, and you want to restrict the qps
each server receives. However, once all servers are at the qps limit, it
will start broadcasting queries to all servers in round robin fashion again
so this is not what you want.

What do you want? If you get >5 qps, drop everything above that and
disappoint your users? This will mostly increase the traffic even because of
retransmits.

So what you could do is do:

addQPSLimit("0.0.0.0/0", 5)

And this gets you what you originally wanted, drop everything in excess of 5
qps.

But you might be more interested in this:

addAction(MaxQPSIPRule(5), NoRecurseAction())

This strips the recursion desired bit from every query beyond 5 qps *per IP
address*. So this limits any individual IP to 5 qps of 'work' for your
resolver.

Or try this:

addDelay(MaxQPSIPRule(5), 1000)

This delays questions by 1 second beyond 5qps.

Perhaps this would work for you?

	Bert


> "
> 
> Thank you.
> 
> Best Regards
> Burak Ozalp
> 
> 
> 
> 
> 
> Alinti bert hubert <bert.hubert at netherlabs.nl>
> 
> >On Tue, Sep 01, 2015 at 05:22:41PM +0300, Burak Ozalp wrote:
> >>Hi Bert,
> >>
> >>I tested wrongly the commit you did about disable-tcp, i got some
> >>compilation errors when i run make command with new 3 files.
> >
> >Can you git pull and try again? Thanks!
> >
> 
> 
> 
> 




More information about the dnsdist mailing list