[dnsdist] Dynamic rule NXDomain
Remi Gacogne
remi.gacogne at powerdns.com
Thu Sep 23 15:49:02 UTC 2021
Hi John,
On 9/23/21 17:10, John Littlekate via dnsdist wrote:
> There is more than 120 qps and all the queries end with "NXDomain" response.
> If I read my dynamic rules from top, I think, this client should be
> trapped by "DNSRCode.NXDOMAIN" rule,
> which is more strict for this case, but the client is usually trapped by
> "QueryRate" rule.
> Why it is so?
When dynBlockRulesGroup:apply() is called it evaluates the rules in that
order, regardless of the order in which they were defined:
- query rate
- response byte rate
- qtype rate
- rcode rate
- rcode ratio
The first rule triggered by a client applies, so if a client exceeds the
thresholds for several rules at the same time it will only match the
first one. In theory the more restrictive one is more likely to be
triggered first, but if the client is sending a sudden burst of queries
it might not happen that way.
I hope that helps.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210923/600fd1b1/attachment.sig>
More information about the dnsdist
mailing list