[dnsdist] How to apply dynamic rules with pools?

Remi Gacogne remi.gacogne at powerdns.com
Wed Feb 23 15:59:59 UTC 2022


Hi Mike,

On 23/02/2022 16:49, Willis, Michael via dnsdist wrote:
> I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so 
> it will trigger and stay triggered.
> This is so I can verify the correct rule is applying.

> dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600)

This rule is saying "block, for 600 seconds,  clients that have been 
sending more than one ANY query per second over the last 100 seconds", 
so one query is not going to be enough to trigger the block.

You could try this one instead:

dbr:setQTypeRate(DNSQType.ANY, 0, 1, "Exceeded ANY rate", 600)

This will block any client that has been sending more than 0 ANY query 
per second over the last second. In my test this results in getting 
blocked right away after sending your first ANY query. I'm not sure I 
would recommend such a drastic rule, but that's a different matter :)

Hope that helps,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220223/ec41378c/attachment.sig>


More information about the dnsdist mailing list