Hi, I would like to consult dynamic rules behavior. I run dnsdist 1.6.1 on Debian and I have folloving rules set: ##### local dbr = dynBlockRulesGroup() dbr:setRCodeRate(DNSQType.TXT, 25, 30, "Exceeded TXT rate", 60) dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXDomain rate", 60) dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60) dbr:setQTypeRate(DNSQType.ANY, 3, 10, "Exceeded ANY rate", 60) dbr:setResponseByteRate(30000, 10, "Exceeded responses bps rate", 60) dbr:setQueryRate(100, 10, "Exceeded query rate", 60, DNSAction.Drop, 80)
function maintenance() dbr:apply() end ##### There is a client which sends continuously DNS traffic like this: src.ip.of.cnt - source IP of a client dst.ip.of.srv - destination IP of my dnsdist server ##### tcpdump ##### 11:34:02.000372 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? i...@somedomain.com. (36) 11:34:02.000474 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100) 11:34:02.006126 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? i...@somedomain.com. (36) 11:34:02.006246 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100) ...cut... 11:34:02.989632 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? i...@somedomain.com. (36) 11:34:02.989716 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100) 11:34:02.992114 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? i...@somedomain.com. (36) 11:34:02.992172 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100) ##### end of tcpdump ##### There is more than 120 qps and all the queries end with "NXDomain" response. If I read my dynamic rules from top, I think, this client should be trapped by "DNSRCode.NXDOMAIN" rule, which is more strict for this case, but the client is usually trapped by "QueryRate" rule. Why it is so? Regards John Littlekate
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
