projects / thirdparty / pdns.git / blame
| Commit | Line | Data |
|---|---|---|
| 20d81666 PL |
1 | Rules for traffic exceeding QPS limits |
| 2 | ====================================== | |
| 3 | ||
| 4 | Traffic that exceeds a QPS limit, in total or per IP (subnet) can be matched by the :func:`MaxQPSIPRule`-rule. For example: | |
| 5 | ||
| 6 | .. code-block:: lua | |
| 7 | ||
| 832c1792 | 8 | addAction(MaxQPSIPRule(5, 32, 48), DelayAction(100)) |
| 20d81666 | 9 | |
| e87c3dd0 | 10 | This measures traffic per IPv4 address and per /48 of IPv6, and if UDP traffic for such an address (range) exceeds 5 :term:`qps`, it gets delayed by 100ms. |
| 20d81666 PL |
11 | |
| 12 | As another example: | |
| 13 | ||
| 14 | .. code-block:: lua | |
| 15 | ||
| 16 | addAction(MaxQPSIPRule(5), NoRecurseAction()) | |
| 17 | ||
| 18 | This strips the Recursion Desired (RD) bit from any traffic per IPv4 or IPv6 /64 that exceeds 5 qps. This means any those traffic bins is allowed to make a recursor do 'work' for only 5 qps. | |
| 19 | ||
| 20 | If this is not enough, try: | |
| 21 | ||
| 22 | .. code-block:: lua | |
| 23 | ||
| 24 | addAction(MaxQPSIPRule(5), DropAction()) | |
| 25 | -- or | |
| 26 | addAction(MaxQPSIPRule(5), TCAction()) | |
| 27 | ||
| 28 | This will respectively drop traffic exceeding that 5 QPS limit per IP or range, or return it with TC=1, forcing clients to fall back to TCP. | |
| 29 | ||
| 30 | To turn this per IP or range limit into a global limit, use ``NotRule(MaxQPSRule(5000))`` instead of :func:`MaxQPSIPRule`. |