Could you add something in iptables for rate limiting? Granted that wont handle NXDOMAIN/SRVFAIL specifically, but you could probably guess a high end average and cap it to that.
-Jon On Tue, Sep 6, 2011 at 21:36, Andrew Melton <[email protected]> wrote: > Following the advice from the IRC channel, I am looking for throttling > support in PDNS. As I understand it, the rescursor currently has the > ability to suppress repetitive queries from being forwarded to an > authoritative name server. However, there is no mechanism to discourage > those requests from the client in the first place. > > Essentially, instead of answering the a bogus query forever, at a certain > point, it would make sense to return an alternate response. After 50 > requests for an NXDOMAIN, the recursor could not only stop forwarding > queries, but reply with SRVFAIL or similar, updating its cache accordingly. > > Just as with setting a throttling threshold on forwarding, x requests > within y seconds would constitute a flood and instruct the recursor to > protect itself by altering its response to identical requests. > > And pushing this to a network appliance (firewall) won't work. It needs to > be unattended and realtime. > > Thanks. > > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > >
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
