[ratelimits] No response repeated queries
Pete Ashdown
pashdown at xmission.com
Sun Sep 23 19:31:09 UTC 2012
First thanks for this patch. I'm running it on our public recursors and it is
working much better than the bailing-wire/sticky-tape/fail2ban I had before.
Although I understand the usefulness of slip for targets that are pulling DNS
from a server, it would be nice if there was an option to not let the repeated
query slip at all. I have slip at 10, responses-per-second at 20 and
qps-scale at 250, and I'm still letting out 50-80 slip requests a second for
party favorites like isc.org and ripe.net to targets under attack. I'd rather
they were just silent on repeated queries for the duration of window.
Also, do I have my qps-scale set right? The documentation doesn't make it
clear to me if queries exceed 250, how does slip and the other counters get
reduced/increased?
More information about the ratelimits
mailing list