Better ratelimiting? (again)
Daisuke HIGASHI
daisuke.higashi at gmail.com
Fri Dec 14 16:20:43 UTC 2018
Hi,
> I personally like the per-subnet option the most, as it gives full control over ip-ratelimiting.
I believe that when we need such complicated rate-limiting feature
we should use other software component built for such purpose.
dnsdist (https://dnsdist.org) can do per-subnet query rate-limiting
like below.
=====================
-- dnsdist.conf
-- queries forwarded to 8.8.8.8
newServer({address="8.8.8.8"})
addLocal("0.0.0.0:53")
addLocal("[::]:53")
-- ACL for dnsdist service
addACL("10.0.0.0/8")
addACL("192.168.0.0/16")
-- Mobile users limit is 1 qps per one IP (/32)
mobile = newNMG()
mobile:addMask("10.0.0.0/24")
mobile:addMask("10.0.1.0/24")
mobile:addMask("10.0.2.0/24")
addAction(AndRule({NetmaskGroupRule(mobile), MaxQPSIPRule(1, 32)}),
DropAction())
-- business users limit is 5 qps per 8 IP (/29)
business = newNMG()
business:addMask("192.168.0.0/24")
addAction(AndRule({NetmaskGroupRule(business), MaxQPSIPRule(5, 29)}),
DropAction())
==============
Regards,
--
Daisuke HIGASHI
More information about the Unbound-users
mailing list