From: George Thessalonikefs Date: Sun, 30 Jan 2022 00:04:15 +0000 (+0100) Subject: - Update unbound.conf manpage and example.conf file for ratelimit X-Git-Tag: release-1.15.0rc1~12^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52283194ebbe3b69facf40c3efd2d666ae66f3df;p=thirdparty%2Funbound.git - Update unbound.conf manpage and example.conf file for ratelimit options. --- diff --git a/doc/example.conf.in b/doc/example.conf.in index 09047f348..64f4cd988 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -860,6 +860,10 @@ server: # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -880,6 +884,10 @@ server: # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 9af909cab..bb556300b 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1696,7 +1696,7 @@ to use different settings for a top\-level\-domain and subdomains. A value of 0 will disable ratelimiting for domain names that end in this name. .TP 5 .B ip\-ratelimit: \fI -Enable global ratelimiting of queries accepted per ip address. +Enable global ratelimiting of queries accepted per IP address. If 0, the default, it is disabled. This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. @@ -1723,6 +1723,15 @@ This can make ordinary queries complete (if repeatedly queried for), and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ip\-ratelimit\-backoff: \fI +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ip\-ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 .B outbound\-msg\-retry: \fI The number of retries Unbound will do in case of a non positive response is received. If a forward nameserver is used, this is the number of retries per