[Pdns-dev] [dns-operations] dns response rate limiting (DNS RRL) patch available for testing
Peter van Dijk
peter.van.dijk at netherlabs.nl
Fri Jun 22 15:01:16 CEST 2012
Hello,
please find a very simple example rate limiting script below.
Script limitations:
- os.time() is an integer so the cutoffs may be staggered in practice
- remotes never get cleared from the ips table
Prequery hook limitations:
- as mentioned before (I think), there is a script instance per distributor-thread; set to 1 for easiest testing (so all invocations share the same global data). I will work on making data (or just the script instance) shared between threads)
- TCP queries do not pass prequery at all, currently
ips = {}
limit = 10
function prequery ( dnspacket )
-- pdnslog ("prequery called for ".. tostring(dnspacket) )
remote = dnspacket:getRemote()
time = os.time()
if not ips[remote] or ips[remote][1] ~= time
then
ips[remote]={time,0}
end
count = ips[remote][2]
count = count +1
if count > 10
then
dnspacket:setRcode(pdns.REFUSED)
pdnslog ("remote "..remote.." is over quota")
return true
end
ips[remote][2]=count
pdnslog("remote "..remote.." has asked "..count.." queries this second")
return false
end
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the Pdns-dev
mailing list