[Pdns-dev] [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Marc Haber mh+pdns-dev at zugschlus.de
Sat Jun 16 14:30:09 CEST 2012


On Fri, Jun 15, 2012 at 03:06:53PM +0200, Peter van Dijk wrote:
> On Jun 14, 2012, at 16:20 , abang wrote:
> > But I think it is more appropirate to return "Refused".
> 
> This is possible already with the hook. Depending on the kind of
> attack either REFUSED or drop could both be desirable options.

If REFUSED is considered, please make that configurable. In case the
PowerDNS server is abused as an attack reflector, the victim doesn't
care if its's valid answers or REFUSED packets that are flooding it
from the network.

Maybe it would be a good idea to rate limit outgoing REFUSED per-ip as
well. One per second looks a good default to me.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062


More information about the Pdns-dev mailing list