On 2013-03-29 at 22:26 +0100, Rok Potočnik wrote: > Can we expect unbound query rate liming > (http://www.redbarn.org/dns/ratelimits) per client/source in future > releases?
That's a feature for authoritative DNS service. Myself, I highly recommend and endorse those rate-limits for authoritative servers: in particular, their patch for bind works really well. Unbound is a _resolver_. It does not provide authoritative service except as a local_data hack for splicing data in. The rate limit concepts as defined on that page simply don't apply to Unbound. You should not be providing recursive DNS service that's open to the Internet. See the "access-control:" directive. If you're only providing recursive DNS service to your own customers, then you can block packets with a source IP that claims to be your customers at your border routers, so the spoofed traffic is blocked before it even reaches your DNS servers. What is your setup, that you need to have recursive service offered to third-party networks, and what issues are you trying to solve? -Phil _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
