[dnsdist] DnsDist Disable TCP

Burak Ozalp burak.ozalp at metu.edu.tr
Thu Sep 3 11:24:28 UTC 2015


Hi Bert;

Actually, it only works for Ubuntu-Chrome.. In Windows neither Chrome  
nor Internet Explorer works with these configuration. What could be  
the reason of this situation ?

Best Regards
Burak Özalp

Alinti Burak Ozalp <burak.ozalp at metu.edu.tr>

>
>
> Yes! It works. When we try with the Chrome Browser it responds with  
> the TC-bit set and then it automatically retries TCP(looks great) .  
> However, when we try with Firefox Browser, it only returns the  
> response and not try with TCP.
>
> This is our related configurations;
>
> glibc vesion : 2.13-1
> Kernel version : 3.2.0-68-generic
> Firefox version: 40.0.3
> Chrome version: 43.0.2357.65
> -- 
>
> Best Regards
> Burak Ozalp
>
>
>
> Alinti bert hubert <bert.hubert at netherlabs.nl>
>
>> On Wed, Sep 02, 2015 at 03:52:11PM +0300, Burak Ozalp wrote:
>>> Our problem is that we don't know the source address. Our aim is the
>>> defence against DDos Attacks, we should limit for all different
>>> IP's. As a result, when an attacker attacks our server, we need to
>>> not drop innocent requests.
>>
>> Ok, then do:
>>
>> addAction(MaxQPSIPRule(5), DropAction())
>>
>> On the latest packages. Limits each individual IP to 5 QPS, drops beyond
>> that.
>>
>> 	Bert
>>
>>>
>>> Best Regards
>>> Burak Ozalp
>>>
>>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>>
>>>> On Wed, Sep 02, 2015 at 02:31:33PM +0300, Burak Ozalp wrote:
>>>>> Hi Bert;
>>>>>
>>>>> AddQPS is the best option for us. Is it possible to apply
>>>>> addQPSLimit for individual IP's ?
>>>>
>>>> Yes, as outlined in the documentation ->
>>>> https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
>>>>
>>>> You can add as many subnets as you want, or individual IPs etc.
>>>>
>>>> Good luck!
>>>>
>>>> 	Bert
>>>>
>>>>>
>>>>> Best Regards
>>>>> Burak Ozalp
>>>>>
>>>>> Alinti bert hubert <bert.hubert at netherlabs.nl>
>>>>>
>>>>>> On Wed, Sep 02, 2015 at 02:08:38PM +0300, Burak Ozalp wrote:
>>>>>>> With the current version of RPM i get no error. However,
>>>>>>> addAction(MaxQPSIPRule(5), NoRecurseAction()) , didn't do its job.
>>>>>>> Should we use both addQPSLimit and addAction together for limiting
>>>>>>> indivual IP to 5 qps?
>>>>>>
>>>>>> No, addQPSLimit alone is fine. The addAction is only if you
>>>>> want to drop the
>>>>>> RD-bit for traffic that exceeds the QPS limit.
>>>>>>
>>>>>> 	Bert
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> dnsdist mailing list
>>>>> dnsdist at mailman.powerdns.com
>>>>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> dnsdist mailing list
>>> dnsdist at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>>>
>>
>
>
>
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist
>






More information about the dnsdist mailing list