[Pdns-users] Rate-Limit for NXDOMAIN

Brian Candler b.candler at pobox.com
Tue Apr 30 14:23:05 UTC 2019


On 30/04/2019 14:57, Filipe Cifali wrote:
> Other than that you can put a DNS cache in front of the authoritative 
> to hold off those aggressive queries and give it a nice slab of RAM.

pdns has its own packetcache layer which works very well, but if every 
query is a different <randomstring>.<yourdomain> then any cache would be 
forced to pass the query through.

There might be some ways to deal with this.  e.g. if <randomstring> is 
always more than a certain number of characters, dnsdist could filter 
them out (whilst explicitly whitelisting any other valid names which 
happen to be the same length)

The trouble is, you do still want to return NXDOMAIN normally to regular 
typos.



More information about the Pdns-users mailing list