[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: limit UDP connection rate with PF pass rule
From:       Stuart Henderson <stu () spacehopper ! org>
Date:       2020-11-21 15:02:53
Message-ID: slrnrrib0t.9vl.stu () naiad ! spacehopper ! org
[Download RAW message or body]

On 2020-11-18, mabi <mabi@protonmail.ch> wrote:
> > The DNS RRL techniques typically still reply to a proportion of queries
> > (either directly with the answer, or with a "retry over TCP" response
> > code) reducing impact if the source IP is also used by real queries as
> > well as the attack traffic.
> 
> I've been looking into that in the past and as I am using PowerDNS 4.0.3 the only \
> valid config parameters I could find and which I already have in place are the \
> following: 
> overload-queue-length=1
> max-tcp-connections=5
> 
> There is as far as I know no such parameter as "max-udp-connections".
> 
> 

From what I can tell PowerDNS authoritative server doesn't handle
this directly but you can implement it by front-ending with dnsdist.
That isn't OpenBSD-specific so you are better asking on their mailing
lists if you need help with this.


[prev in list] [next in list] [prev in thread] [next in thread]