On 18/07/2023 23:59, Stuart Henderson wrote: > PF's state-tracking options are only for TCP. (Blocking an IP > based on number of connections from easily spoofed UDP is a good > way to let third parties prevent your machine from communicating > with IPs that may well get in the way i.e. trigger a "self DoS"). > > You may be interested in looking into L7 methods of mitigating > problems from high rates of DNS queries - for example dnsdist > allows a lot of flexibility in this area.
dnsdist looks interesting. Can it run on top of carp interfaces? Maybe even better, can it run under relayd (redirect) on top of carp? G