[dnsdist] dbr:setRCodeRate - DNSRCode.NXDOMAIN not working with packetcache
Dave Strydom
strydom.dave at gmail.com
Fri May 15 07:31:39 UTC 2020
Hi,
I've picked up a strange issue in 1.4 where the
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
rate limit seems to be ignored if the packet cache is enabled and only the
dbr:setQueryRate triggers.
The moment I disable the packet cache, the NXDOMAIN rate limiting works.
Here is my config (please excuse anything looking odd, I'm new to this
dnsdist)
---------------
addLocal('xxx.xxx.xxx.110:53')
newServer({address="10.10.216.112:5300", qps=5000})
setServerPolicy(firstAvailable)
setACL({'0.0.0.0/0', '::/0'})
whitelisted = newNMG()
whitelisted:addMask("xxx.xxx.xxx.0/22")
whitelisted:addMask("xx.xxx.xx.0/24")
addAction(NetmaskGroupRule(whitelisted), AllowAction())
addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}), TCAction())
local dbr = dynBlockRulesGroup()
dbr:excludeRange({"xxx.xxx.xxx.0/22", "xx.xxx.xx.0/24", "xxxx:xxxx:x::/48"
})
dbr:setQueryRate(30, 10, "Exceeded query rate", 120)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 5, 10, "Exceeded NXD rate", 120)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 120)
dbr:setQTypeRate(DNSQType.ANY, 5, 10, "Exceeded ANY rate", 120)
dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 120)
function maintenance()
dbr:apply()
end
addAction(MaxQPSIPRule(25, 32, 64), TCAction())
pc = newPacketCache(1000000, {maxTTL=120, minTTL=0, temporaryFailureTTL=60,
staleTTL=60, maxNegativeTTL=60, dontAge=false})
getPool(""):setCache(pc)
-------------
Is this an issue or is this by design?
thanks
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200515/c3dcd1e1/attachment.htm>
More information about the dnsdist
mailing list