[dnsdist] Question about implementing dynBlockRulesGroup

Remi Gacogne remi.gacogne at powerdns.com
Mon Oct 30 10:19:07 UTC 2023


On 30/10/2023 11:08, CamZie via dnsdist wrote:
> We would like to use DNSdist to block traffics that exceeds a QPS limit 
> and we have configured the following as test:
> local dbr = dynBlockRulesGroup()
> dbr:setQueryRate(5, 1, "Exceeded query rate", 60)
> dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60)
> function maintenance()
>    dbr:apply()
> end
> However, when we do 10 queries with the following command, all 10 
> requests still goes through successfully:
> for a in {0..10}; do dig -t a <DOMAIN> @<DNSdist_IP> +short; done
>  From the console, we can see that the client has been detected and is 
> listed in the blocklist but still the 10 queries has gone through even 
> though we have limited it to 5.
>> showDynBlocks()
> What                      Seconds   Blocks Warning    Action             
>    Reason
> <DNSdist_IP>/32              56        0 false      Drop                 
> Exceeded query rate

This is expected, as 'maintenance' is called every second so it might 
take up to a second for the client to get blocked.

> Is there a way we can immediately drop the connection after reaching max 
> 5 queries per second as defined in the config? This is the same case 
> with the ANY requests restriction.

MaxQPSIPRule [1]should do that. It is a bit more expensive than dynamic 
blocks when you have a lot of queries per second because it has to 
update a state for every query, but the "shards" parameter added in 
1.8.0 should help a lot under heavy load.

[1]: https://dnsdist.org/rules-actions.html#MaxQPSIPRule

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231030/b213d2e3/attachment.sig>

More information about the dnsdist mailing list