[dnsdist] DnsDist Disable TCP

Burak Ozalp burak.ozalp at metu.edu.tr
Wed Sep 2 11:08:38 UTC 2015 

With the current version of RPM i get no error. However,  
addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't do its job.  
Should we use both addQPSLimit and addAction together for limiting  
indivual IP to 5 qps?

Best Regards
Burak Ozalp

Alinti bert hubert <bert.hubert at netherlabs.nl>

> On Wed, Sep 02, 2015 at 11:21:42AM +0300, Burak Ozalp wrote:
>> addAction(MaxQPSIPRule(5), NoRecurseAction()) option, but it gets
>> the following error;
>
> This probably means you are not running the most current version of dnsdist.
> Perhaps https://repo.powerdns.com/ might be helpful for you?
>
> Good luck!
>
> 	Bert
>
>>
>> Fatal error: [string "chunk"]:7: attempt to call global
>> 'MaxQPSIPRule' (a nil value)
>>
>> We tested for both cases(inside the blockfilter function and global
>> call) it gives same error.
>>
>> Thanks a lot
>>
>> Best Regards
>> Burak Ozalp
>>
>>
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >On Wed, Sep 02, 2015 at 09:58:10AM +0300, Burak Ozalp wrote:
>> >>I did pull and make a clean install. However, in new branch,
>> >>dnsdist.1 file was removed.For that reason, i had the following
>> >>error while make;
>> >
>> >Can you run ./populate? If this solves it I know what I need to do.
>> >
>> >>newServer{address="8.8.8.8", qps=5}
>> >>Then i test with DNS flood attack, and i assumed that the max answer
>> >>query per second is 5. Bu it wasn't. What is the main purpose of qps
>> >>limit? Is it for forwarding queries?
>> >
>> >This is meant if you have multiple servers, and you want to  
>> restrict the qps
>> >each server receives. However, once all servers are at the qps limit, it
>> >will start broadcasting queries to all servers in round robin fashion again
>> >so this is not what you want.
>> >
>> >What do you want? If you get >5 qps, drop everything above that and
>> >disappoint your users? This will mostly increase the traffic even  
>> because of
>> >retransmits.
>> >
>> >So what you could do is do:
>> >
>> >addQPSLimit("0.0.0.0/0", 5)
>> >
>> >And this gets you what you originally wanted, drop everything in  
>> excess of 5
>> >qps.
>> >
>> >But you might be more interested in this:
>> >
>> >addAction(MaxQPSIPRule(5), NoRecurseAction())
>> >
>> >This strips the recursion desired bit from every query beyond 5 qps *per IP
>> >address*. So this limits any individual IP to 5 qps of 'work' for your
>> >resolver.
>> >
>> >Or try this:
>> >
>> >addDelay(MaxQPSIPRule(5), 1000)
>> >
>> >This delays questions by 1 second beyond 5qps.
>> >
>> >Perhaps this would work for you?
>> >
>> >	Bert
>> >
>> >
>> >>"
>> >>
>> >>Thank you.
>> >>
>> >>Best Regards
>> >>Burak Ozalp
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>
>> >>>On Tue, Sep 01, 2015 at 05:22:41PM +0300, Burak Ozalp wrote:
>> >>>>Hi Bert,
>> >>>>
>> >>>>I tested wrongly the commit you did about disable-tcp, i got some
>> >>>>compilation errors when i run make command with new 3 files.
>> >>>
>> >>>Can you git pull and try again? Thanks!
>> >>>
>> >>
>> >>
>> >>
>> >>
>> >
>>
>>
>>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>>
>

More information about the dnsdist mailing list