[dnsdist] DnsDist Disable TCP

Burak Ozalp burak.ozalp at metu.edu.tr
Wed Sep 2 08:21:42 UTC 2015


Hi Bert,

I ran ./populate it works great. I also tested the new  
feature(disable-tcp) and it works perfectly.Thanks!

In addition, we tested 2 options you recommend to qps.

addQPSLimit("0.0.0.0/0", 5) works great. In opposite, we try(which  
works well for our case, to limit any indivual IP)  
addAction(MaxQPSIPRule(5), NoRecurseAction()) option, but it gets the  
following error;

Fatal error: [string "chunk"]:7: attempt to call global 'MaxQPSIPRule'  
(a nil value)

We tested for both cases(inside the blockfilter function and global  
call) it gives same error.

Thanks a lot

Best Regards
Burak Ozalp


Alinti bert hubert <bert.hubert at netherlabs.nl>

> On Wed, Sep 02, 2015 at 09:58:10AM +0300, Burak Ozalp wrote:
>> I did pull and make a clean install. However, in new branch,
>> dnsdist.1 file was removed.For that reason, i had the following
>> error while make;
>
> Can you run ./populate? If this solves it I know what I need to do.
>
>> newServer{address="8.8.8.8", qps=5}
>> Then i test with DNS flood attack, and i assumed that the max answer
>> query per second is 5. Bu it wasn't. What is the main purpose of qps
>> limit? Is it for forwarding queries?
>
> This is meant if you have multiple servers, and you want to restrict the qps
> each server receives. However, once all servers are at the qps limit, it
> will start broadcasting queries to all servers in round robin fashion again
> so this is not what you want.
>
> What do you want? If you get >5 qps, drop everything above that and
> disappoint your users? This will mostly increase the traffic even because of
> retransmits.
>
> So what you could do is do:
>
> addQPSLimit("0.0.0.0/0", 5)
>
> And this gets you what you originally wanted, drop everything in excess of 5
> qps.
>
> But you might be more interested in this:
>
> addAction(MaxQPSIPRule(5), NoRecurseAction())
>
> This strips the recursion desired bit from every query beyond 5 qps *per IP
> address*. So this limits any individual IP to 5 qps of 'work' for your
> resolver.
>
> Or try this:
>
> addDelay(MaxQPSIPRule(5), 1000)
>
> This delays questions by 1 second beyond 5qps.
>
> Perhaps this would work for you?
>
> 	Bert
>
>
>> "
>>
>> Thank you.
>>
>> Best Regards
>> Burak Ozalp
>>
>>
>>
>>
>>
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >On Tue, Sep 01, 2015 at 05:22:41PM +0300, Burak Ozalp wrote:
>> >>Hi Bert,
>> >>
>> >>I tested wrongly the commit you did about disable-tcp, i got some
>> >>compilation errors when i run make command with new 3 files.
>> >
>> >Can you git pull and try again? Thanks!
>> >
>>
>>
>>
>>
>







More information about the dnsdist mailing list