[dnsdist] dnsdist 1.8, change of behavior for dynamic blocks

Jacob Bunk Nielsen jbn at one.com
Thu May 11 10:06:06 UTC 2023

On 11/05/2023 11.58, Remi Gacogne via dnsdist wrote:
> On 14/04/2023 08:25, Jacob Bunk Nielsen via dnsdist wrote:
>> Just a heads up, we run an auth DNS service and I noticed after we 
>> upgraded to dnsdist 1.8 that we have started blocking a lot more 
>> based on a dynamic block rule defined as:
>> dbr:setRCodeRate(DNSRCode.REFUSED, N, X, 'Exceeded REFUSED response 
>> rate', Y)
>> This is what the metrics look like from around the upgrade time: 
>> https://allg.one/bvLn - I suspect that the rule above have now 
>> started working as intended.
> Thanks a lot for the heads-up! I don't remember any recent change in 
> the related code, so I'm a bit surprised. Just to be sure, was dnsdist 
> upgraded from 1.7.x? I'm asking because I remember fixing an issue 
> that could be related in 1.6, but that doesn't match if you upgraded 
> from 1.7.x, of course.

We upgraded from 1.7.3 to 1.8.0. I suspect many of the REFUSED responses 
to be answered from cache, since most of them will (in our case) be a 
result of a lame delegation and lame delegations seems to retried very 
eagerly by some resolvers.

Best regards,


More information about the dnsdist mailing list