Hi, On 30/10/2023 11:08, CamZie via dnsdist wrote:
We would like to use DNSdist to block traffics that exceeds a QPS limit and we have configured the following as test:local dbr = dynBlockRulesGroup() dbr:setQueryRate(5, 1, "Exceeded query rate", 60) dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60) function maintenance() dbr:apply() endHowever, when we do 10 queries with the following command, all 10 requests still goes through successfully:for a in {0..10}; do dig -t a <DOMAIN> @<DNSdist_IP> +short; doneFrom the console, we can see that the client has been detected and is listed in the blocklist but still the 10 queries has gone through even though we have limited it to 5.What Seconds Blocks Warning Action Reason <DNSdist_IP>/32 56 0 false Drop Exceeded query rateshowDynBlocks()
This is expected, as 'maintenance' is called every second so it might take up to a second for the client to get blocked.
Is there a way we can immediately drop the connection after reaching max 5 queries per second as defined in the config? This is the same case with the ANY requests restriction.
MaxQPSIPRule [1]should do that. It is a bit more expensive than dynamic blocks when you have a lot of queries per second because it has to update a state for every query, but the "shards" parameter added in 1.8.0 should help a lot under heavy load.
[1]: https://dnsdist.org/rules-actions.html#MaxQPSIPRule Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
