[Pdns-dev] [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Jun 15 15:06:53 CEST 2012


On Jun 14, 2012, at 16:20 , abang wrote:

>> I have a PowerDNS branch that allows a Lua hook to be called before processing of any query: https://github.com/Habbie/powerdns/compare/master...lua-prequery
> Is this lua-prequery-script running per thread like the lua-dns-script, each thread with its own memory, or is there only one instance of it?

The current implementation has a Lua instance per PacketHandler. I believe distributor-threads roughly influences the number of PacketHandlers that are instantiated.

>> Thoughts?
> What can happen if the rate limit is reached? Should packets dropped silently? Would this be possible with the prequery lua hook?

Silent dropping would be best I think, yes. The hook does not currently do this but it could easily be adapted for that.

> But I think it is more appropirate to return "Refused".

This is possible already with the hook. Depending on the kind of attack either REFUSED or drop could both be desirable options.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-dev mailing list