[dnsdist] DelayAction with dnsdist 1.4.0-rc1
brian.sullivan at lookout.com
Fri Aug 16 13:41:28 UTC 2019
Thanks for your insight ...
On Fri, Aug 16, 2019 at 9:29 AM Remi Gacogne <remi.gacogne at powerdns.com>
> On 8/16/19 3:04 PM, Brian Sullivan wrote:
> > Yes my bad ... I missed that. Just a thought, next time the
> > documentation is updated, Section 5.1.1 Examples and Section 15.6 Rules
> > for traffic exceeding QPS limits could both use a note that it is UDP
> > only. Since it is such a simple action, I didn't even look at the
> > reference.
> Yeah, it's on us, sorry about that.
> I see Frank has already opened a pull request to fix that, thanks a lot!
> > What do you think of this alternative, I could use the same MaxQPSIPRule
> > rule and tag the query and pass it along to the recursor. In a lua
> > script I could check the tag and add a delay. I need to read up on it ..
> > but I am assuming the lua processing is multithreaded? I could also add
> > a second MaxQPSIPRule with a higher qps value and add a DropAction to
> > protect the recursor.
> Hmm, no, you can't block in a Lua script. That wouldn't be too bad in
> 1.3.x for TCP connections, since a thread only handled one connection at
> a time, but in 1.4.0 a single thread can handle a lot of TCP
> connnections at once so we can't afford to block there.
> It's a bit more complicated in the recursor but basically you can't
> block there either.
> I'm afraid I don't really have a solution to offer if you want to delay
> the response over TCP, sorry :-/ We should probably fix that since I
> assume that people might want to delay over DoT or DoH too.
> Remi Gacogne
> PowerDNS BV - https://www.powerdns.com/
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
Brian M. Sullivan
Senior Staff Security Intelligence Engineer
bsullivan at lookout.com | www.lookout.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dnsdist