> Am 05.05.2021 um 16:20 schrieb Stuart Henderson <s...@spacehopper.org > <mailto:s...@spacehopper.org>>: > > This is usually best dealt with in your DNS server software e.g. by using > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config > section in BIND.
Yes, I have this in place now, but I try to let the fw drop them:
This seems not working:
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload
<bruteforce> flush global )'
…
pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"
Is this not possible with udp?
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
signature.asc
Description: Message signed with OpenPGP
