[ratelimits] new RRL patches with small bug fix
Paul Vixie
paul at redbarn.org
Sat Apr 6 19:59:50 UTC 2013
Geert Jan de Groot wrote:
> On Fri, 05 Apr 2013 12:00:01 +0000 ratelimits-request at lists.redbarn.org wrote:
>> DNS RRL is not recommended for recursive servers, because DNS clients
>> can send bursts of identical, legitimate requests.
>
> I'm surprised by this. I thought that something like this would work,
> and it did when I tested it:
this is a mixed-mode (recursive + authoritative) server, and you're
using exempt-clients{} to avoid RRL for RD=1 traffic. so, it's working
as intended, which is to way, you're not using RRL for recursive traffic.
paul
re:
>
> acl clients {
> 127.0.0.1/32;
> 192.0.2.0/24;
> ...
> };
>
> options {
> ...
> allow-recursion {
> clients;
> };
> rate-limit {
> responses-per-second 5;
> window 5;
> exempt-clients {
> clients;
> };
> };
> };
>
> What am I missing?
>
> Geert Jan
>
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130406/6a2b45fc/attachment.htm>
More information about the ratelimits
mailing list