[dnsdist] [EXT] Re: Question about implementing dynBlockRulesGroup
Remi Gacogne
remi.gacogne at powerdns.com
Mon Dec 4 14:30:35 UTC 2023
Hi,
On 04/12/2023 14:37, CamZie wrote:
> I tried testing "MaxQPSIPRule" by setting it to "3" but the drop
> connection only occurs on every 4th request. We would like to be able to
> block all requests from the source IP after they reach a certain limit.
Right, it allows 3 queries per second, so the 4th one is blocked, dig
times out after a delay of one second, so there is again a 3-queries
credit for the next second, and so on and so forth.
So am I correctly understanding that you want to block for a given
amount of time a client after it has exceeded, once, a given QPS rate?
The Dynamic Blocks are designed to do just that, but as discussed before
there is a delay of up to one second before they are enforced for the
first time, for performance reasons. If you cannot live with that delay,
I'm afraid you will have to implement a custom rule using Lua [1].
[1]: https://dnsdist.org/advanced/luaaction.html
Hope that helps,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231204/256f7f1b/attachment.sig>
More information about the dnsdist
mailing list