[dnsdist] Dynamic rule NXDomain

Remi Gacogne remi.gacogne at powerdns.com
Thu Sep 23 15:49:02 UTC 2021


Hi John,

On 9/23/21 17:10, John Littlekate via dnsdist wrote:
> There is more than 120 qps and all the queries end with "NXDomain" response.
> If I read my dynamic rules from top, I think, this client should be 
> trapped by "DNSRCode.NXDOMAIN" rule,
> which is more strict for this case, but the client is usually trapped by 
> "QueryRate" rule.
> Why it is so?

When dynBlockRulesGroup:apply() is called it evaluates the rules in that 
order, regardless of the order in which they were defined:
- query rate
- response byte rate
- qtype rate
- rcode rate
- rcode ratio

The first rule triggered by a client applies, so if a client exceeds the 
thresholds for several rules at the same time it will only match the 
first one. In theory the more restrictive one is more likely to be 
triggered first, but if the client is sending a sudden burst of queries 
it might not happen that way.

I hope that helps.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210923/600fd1b1/attachment.sig>


More information about the dnsdist mailing list