Better ratelimiting? (again)

Daisuke HIGASHI daisuke.higashi at gmail.com
Fri Dec 14 16:20:43 UTC 2018


Hi,

> I personally like the per-subnet option the most, as it gives full control over ip-ratelimiting.

  I believe that when we need such complicated rate-limiting feature
we should use other software component built for such purpose.

  dnsdist  (https://dnsdist.org) can do per-subnet query rate-limiting
like below.

=====================
-- dnsdist.conf

-- queries forwarded to 8.8.8.8

newServer({address="8.8.8.8"})
addLocal("0.0.0.0:53")
addLocal("[::]:53")

-- ACL for dnsdist service
addACL("10.0.0.0/8")
addACL("192.168.0.0/16")

-- Mobile users limit is 1 qps per one IP (/32)
mobile = newNMG()
mobile:addMask("10.0.0.0/24")
mobile:addMask("10.0.1.0/24")
mobile:addMask("10.0.2.0/24")
addAction(AndRule({NetmaskGroupRule(mobile), MaxQPSIPRule(1, 32)}),
DropAction())

-- business users limit is 5 qps per 8 IP (/29)
business = newNMG()
business:addMask("192.168.0.0/24")
addAction(AndRule({NetmaskGroupRule(business), MaxQPSIPRule(5, 29)}),
DropAction())
==============

Regards,
-- 
Daisuke HIGASHI



More information about the Unbound-users mailing list