[Pdns-users] Flood Throttle

Jon Davis maillist at konsoletek.com
Wed Sep 7 16:11:46 UTC 2011


Could you add something in iptables for rate limiting? Granted that wont
handle NXDOMAIN/SRVFAIL specifically, but you could probably guess a high
end average and cap it to that.

-Jon

On Tue, Sep 6, 2011 at 21:36, Andrew Melton <rbc310 at gmail.com> wrote:

> Following the advice from the IRC channel, I am looking for throttling
> support in PDNS.  As I understand it, the rescursor currently has the
> ability to suppress repetitive queries from being forwarded to an
> authoritative name server.  However, there is no mechanism to discourage
> those requests from the client in the first place.
>
> Essentially, instead of answering the a bogus query forever, at a certain
> point, it would make sense to return an alternate response.  After 50
> requests for an NXDOMAIN, the recursor could not only stop forwarding
> queries, but reply with SRVFAIL or similar, updating its cache accordingly.
>
> Just as with setting a throttling threshold on forwarding, x requests
> within y seconds would constitute a flood and instruct the recursor to
> protect itself by altering its response to identical requests.
>
> And pushing this to a network appliance (firewall) won't work.  It needs to
> be unattended and realtime.
>
> Thanks.
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110907/53bd92f7/attachment-0001.html>


More information about the Pdns-users mailing list