[Pdns-dev] [dns-operations] dns response rate limiting (DNS RRL) patch available for testing
abang
abang at t-ipnet.net
Thu Jun 14 16:20:04 CEST 2012
Am 14.06.2012 10:55, schrieb Peter van Dijk:
> Hello,
>
> On Jun 14, 2012, at 10:28 , Ask Bjørn Hansen wrote:
>
>> This would be a nice feature to have in PowerDNS, too.
>
>
> I have a PowerDNS branch that allows a Lua hook to be called before processing of any query: https://github.com/Habbie/powerdns/compare/master...lua-prequery
Is this lua-prequery-script running per thread like the lua-dns-script,
each thread with its own memory, or is there only one instance of it?
> I'm thinking building the filtering in Lua (performance permitting) would be an interesting exercise in configurability.
Yes in deed.
> Thoughts?
What can happen if the rate limit is reached? Should packets dropped
silently? Would this be possible with the prequery lua hook?
But I think it is more appropirate to return "Refused".
The implementation in Lua could work like this:
If the rate limit is client-IP based, a Lua hash can store the rate
statistics per client and if the limit is exceeded, queries form this
client will be refused until the rate is again below the limit. If the
client-IP-hash size exceeds a certain value, the hash is completely
deleted and it starts over again.
Winfried
More information about the Pdns-dev
mailing list