[dnsdist] A few questions about rate-limiting

[Thib D]

Hello everyone,

I am currently trying to set up a rate-limiting config and I have a few
questions about how Dynblocks and Packet policies rules work :

When an IP is inserted in a DynBlockRule, an action is automatically given
to the query for some time.
Instead of dropping/truncating every query, I would like to have the
possibility to drop/truncate 50% for the queries coming from this abusive
IP. Is this currently possible to do so?

It looks like it's possible to come close to this behavior using
MaxQPSIPRule(10,24,48) and dropping the queries matching this rule.
Here, the abusive source would still be able to query at a 10 qps rate, and
the rest of the queries would be dropped.

I would also like to have the same behaviour for queries by RCODE[1] and
QNAMEs[2]:
[1] : I would like to allow a source to have 10 NXDOmains/s, and drop the
rest of the NXDOmain queries from this source.
[2] : I would like to allow 10 queries per second for a single source on a
same domain, then drop the rest.

>From what I understand, DynBlocks are the only way to count responses with
a specific RCodes, and I'm wondering if there is a way to have Dynblock not
dropping/truncating every query (would LuaActions do the trick ?), or
setting up custom rules to have some sort of MaxQPSRule limiting subnets
abusing NXDOmains/SERVFAIL/REFUSED.

Last question : Will Dynblocks be able to deal with subnets instead of IPs
in the future?

I'm not sure wether Dynblocks or QPSRules are the best to fit my needs.

Best regards
Thibaud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200513/82f90eba/attachment.htm>