[dnsdist] DnsDist Disable TCP

Burak Ozalp burak.ozalp at metu.edu.tr
Wed Sep 2 13:34:09 UTC 2015 


Yes! It works. When we try with the Chrome Browser it responds with  
the TC-bit set and then it automatically retries TCP(looks great) .  
However, when we try with Firefox Browser, it only returns the  
response and not try with TCP.

This is our related configurations;

glibc vesion : 2.13-1
Kernel version : 3.2.0-68-generic
Firefox version: 40.0.3
Chrome version: 43.0.2357.65
-- 

Best Regards
Burak Ozalp



Alinti bert hubert <bert.hubert at netherlabs.nl>

> On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>> Our problem is that we don't know the source address. Our aim is the
>> defence against DDos Attacks, we should limit for all different
>> IP's. As a result, when an attacker attacks our server, we need to
>> not drop innocent requests.
>
> Ok, then do:
>
> addAction(MaxQPSIPRule(5), DropAction())
>
> On the latest packages. Limits each individual IP to 5 QPS, drops beyond
> that.
>
> 	Bert
>
>>
>> Best Regards
>> Burak Ozalp
>>
>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>
>> >On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>> >>Hi Bert;
>> >>
>> >>AddQPS is the best option for us. Is it possible to apply
>> >>addQPSLimit for individual IP's ?
>> >
>> >Yes, as outlined in the documentation ->
>> >https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>> >
>> >You can add as many subnets as you want, or individual IPs etc.
>> >
>> >Good luck!
>> >
>> >	Bert
>> >
>> >>
>> >>Best Regards
>> >>Burak Ozalp
>> >>
>> >>Alinti bert hubert <bert.hubert at netherlabs.nl>
>> >>
>> >>>On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>> >>>>With the current version of RPM i get no error. However,
>> >>>>addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't do its job.
>> >>>>Should we use both addQPSLimit and addAction together for limiting
>> >>>>indivual IP to 5 qps?
>> >>>
>> >>>No, addQPSLimit alone is fine. The addAction is only if you
>> >>want to drop the
>> >>>RD-bit for traffic that exceeds the QPS limit.
>> >>>
>> >>>	Bert
>> >>>
>> >>
>> >>
>> >>
>> >>
>> >>_______________________________________________
>> >>dnsdist mailing list
>> >>dnsdist at mailman.powerdns.com
>> >>http://mailman.powerdns.com/mailman/listinfo/dnsdist
>> >>
>> >
>>
>>
>>
>>
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>>
>

More information about the dnsdist mailing list