[dns-operations] dns response rate limiting (DNS RRL) patch available for testing
Ken A
ka at pacific.net
Tue Jun 12 15:33:23 UTC 2012
On 6/12/2012 10:16 AM, Vernon Schryver wrote:
>> From: Ken A<ka at pacific.net>
>> To: dns-operations at mail.dns-oarc.net
>
>> On a authoritative + recursive server, instead of a separate view, we use:
>> acl "trusted" { x.x.x.x/z; };
>> allow-recursion { trusted; };
>>
>> Is there any way to apply this patch so that it does not affect a
>> specific acl, such as "trusted" addresses?
>>
>> Or, is it recommended/required that we configure separate views to use this?
>
> Separate views are required to apply rate limiting to some but not
> all DNS clients, unless you are of the school that holds
> authoritative+recursive servers are always utterly wrong. In that
> case separate servers are required.
We are a small ISP, and it has not be necessary.
We do run separate caching servers for mail server use.
> Would it be easy to transform your configuration file to use views via
> the include directive? My named.conf files look something like
>
> view "insiders" {
> match-clients { goodnets; };
> recursion yes;
> include "privatezones";
> include "publiczones";
> response-policy {
> ...
> };
> };
> view "outsiders" {
> match-clients { any; };
> recursion no;
> include "publiczones";
> rate-limit { ... };
> };
>
Yes, only straight forward / minor changes would be needed.
Thanks,
Ken
> Vernon Schryver vjs at rhyolite.com
>
--
Ken Anderson
Pacific Internet - http://www.pacific.net
Latest Pacific.Net Status - http://twitter.com/pacnetstatus
More information about the dns-operations
mailing list