Hi, > I personally like the per-subnet option the most, as it gives full control > over ip-ratelimiting.
I believe that when we need such complicated rate-limiting feature we should use other software component built for such purpose. dnsdist (https://dnsdist.org) can do per-subnet query rate-limiting like below. ===================== -- dnsdist.conf -- queries forwarded to 8.8.8.8 newServer({address="8.8.8.8"}) addLocal("0.0.0.0:53") addLocal("[::]:53") -- ACL for dnsdist service addACL("10.0.0.0/8") addACL("192.168.0.0/16") -- Mobile users limit is 1 qps per one IP (/32) mobile = newNMG() mobile:addMask("10.0.0.0/24") mobile:addMask("10.0.1.0/24") mobile:addMask("10.0.2.0/24") addAction(AndRule({NetmaskGroupRule(mobile), MaxQPSIPRule(1, 32)}), DropAction()) -- business users limit is 5 qps per 8 IP (/29) business = newNMG() business:addMask("192.168.0.0/24") addAction(AndRule({NetmaskGroupRule(business), MaxQPSIPRule(5, 29)}), DropAction()) ============== Regards, -- Daisuke HIGASHI
