[dnsdist] rule to limit the QPS for each zone in absolute terms

Jacob Bunk Nielsen jbn at one.com
Mon Apr 3 18:26:52 UTC 2023


On 02/04/2023 09.35, Marco Mangione via dnsdist wrote:
> Have you ever had an area under flood attack? Well, it is identified 
> (even automatically) and a specific rule is applied to the area under 
> attack.
> Do you think it is possible to create a dynamic rule that does this 
> automatically? That is, if a single zone exceeds X qps --> action.

The problem is that dnsdist usually doesn't know what is a zone and what 
is not.

E.g. is www.example.com a zone? You would need to check for a SOA record 
and delegation records to know for sure. That is likely more expensive 
than just answering the query you got.

What about foo.bar.example.com? Or a.b.c.d.example.com? Those random 
subdomain attacks can go quite deep in some cases.

I completely understand why you have this idea, but it's not entirely 
trivial to implement in a sufficiently generic way.

Best regards,


More information about the dnsdist mailing list