[dnsdist] Question about implementing dynBlockRulesGroup
Remi Gacogne
remi.gacogne at powerdns.com
Mon Oct 30 10:19:07 UTC 2023
Hi,
On 30/10/2023 11:08, CamZie via dnsdist wrote:
> We would like to use DNSdist to block traffics that exceeds a QPS limit
> and we have configured the following as test:
>
> local dbr = dynBlockRulesGroup()
>
> dbr:setQueryRate(5, 1, "Exceeded query rate", 60)
> dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60)
>
> function maintenance()
> dbr:apply()
> end
>
> However, when we do 10 queries with the following command, all 10
> requests still goes through successfully:
>
> for a in {0..10}; do dig -t a <DOMAIN> @<DNSdist_IP> +short; done
>
> From the console, we can see that the client has been detected and is
> listed in the blocklist but still the 10 queries has gone through even
> though we have limited it to 5.
>
>> showDynBlocks()
> What Seconds Blocks Warning Action
> Reason
> <DNSdist_IP>/32 56 0 false Drop
> Exceeded query rate
This is expected, as 'maintenance' is called every second so it might
take up to a second for the client to get blocked.
> Is there a way we can immediately drop the connection after reaching max
> 5 queries per second as defined in the config? This is the same case
> with the ANY requests restriction.
MaxQPSIPRule [1]should do that. It is a bit more expensive than dynamic
blocks when you have a lot of queries per second because it has to
update a state for every query, but the "shards" parameter added in
1.8.0 should help a lot under heavy load.
[1]: https://dnsdist.org/rules-actions.html#MaxQPSIPRule
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231030/b213d2e3/attachment.sig>
More information about the dnsdist
mailing list