[dnsdist] Reply processing: Drop actions for RCODE and proxy RRL

Terry Burton tez at terryburton.co.uk
Wed May 11 00:17:38 UTC 2016


Does dnsdist provide any form of reply processing, or plan to?

Occasionally I have found a reason to drop replies to spoofed
addresses having RCODE=REFUSED. One benefit is that this would mean
that I can avoid the outgoing traffic in response to queries for zones
for which I am not authoritative without having to provide the
authoritative list to dnsdist. (Maybe the general case is bad
netizanship since it results in resolvers having to wait for timeout
to detect lame delegations...)

Extending the reply processing idea further, would there be any
benefit to dnsdist providing support for a kind of proxy RRL (perhaps
per pool)? I'm considering a situation where you might have configured
a large load bank to absorb abuse (elastic cloud, etc.) in which case
each nameserver instance running RRL with its own scoreboard would
contribute linearly to the volume of reply traffic that is within the
rate limit or slips and floods the victim. dnsdist would provide a
single world view allowing you to reduce the volume of reply traffic.

Thanks for giving us such a unique and interesting project as dnsdist.

All the best,


More information about the dnsdist mailing list