On 18/07/2023 23:59, Stuart Henderson wrote:
> PF's state-tracking options are only for TCP. (Blocking an IP
> based on number of connections from easily spoofed UDP is a good
> way to let third parties prevent your machine from communicating
> with IPs that may well get in the way i.e. trigger a "self DoS").
> You may be interested in looking into L7 methods of mitigating
> problems from high rates of DNS queries - for example dnsdist
> allows a lot of flexibility in this area.

dnsdist looks interesting.

Can it run on top of carp interfaces?

Maybe even better, can it run under relayd (redirect) on top of carp?


Reply via email to