[ratelimits] No response repeated queries

Pete Ashdown pashdown at xmission.com
Sun Sep 23 19:31:09 UTC 2012


First thanks for this patch.  I'm running it on our public recursors and it is
working much better than the bailing-wire/sticky-tape/fail2ban I had before.

Although I understand the usefulness of slip for targets that are pulling DNS
from a server, it would be nice if there was an option to not let the repeated
query slip at all.  I have slip at 10, responses-per-second at 20 and
qps-scale at 250, and I'm still letting out 50-80 slip requests a second for
party favorites like isc.org and ripe.net to targets under attack.  I'd rather
they were just silent on repeated queries for the duration of window.

Also, do I have my qps-scale set right?  The documentation doesn't make it
clear to me if queries exceed 250, how does slip and the other counters get
reduced/increased?


More information about the ratelimits mailing list