[Pdns-dev] [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Jun 22 15:01:16 CEST 2012


Hello,

please find a very simple example rate limiting script below.

Script limitations:
- os.time() is an integer so the cutoffs may be staggered in practice
- remotes never get cleared from the ips table

Prequery hook limitations:
- as mentioned before (I think), there is a script instance per distributor-thread; set to 1 for easiest testing (so all invocations share the same global data). I will work on making data (or just the script instance) shared between threads)
- TCP queries do not pass prequery at all, currently

ips = {}
limit = 10

function prequery ( dnspacket )
	-- pdnslog ("prequery called for ".. tostring(dnspacket) )
	remote = dnspacket:getRemote()
	time = os.time()
	if not ips[remote] or ips[remote][1] ~= time
	then
		ips[remote]={time,0}
	end
	count = ips[remote][2]
	count = count +1
	if count > 10
	then
		dnspacket:setRcode(pdns.REFUSED)
		pdnslog ("remote "..remote.." is over quota")
		return true
	end
	ips[remote][2]=count
	pdnslog("remote "..remote.." has asked "..count.." queries this second")
	return false
end



Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/



More information about the Pdns-dev mailing list