- Program: dnsdist
- Issue type: Bug report
Short description
I'm not sure if this should be filed as a feature request instead of a bug report, but I feel like this is somewhat unexpected. Please let me know if I should open a feature request instead.
I have configured three Dynamic Block Rules (DBRs) with varying QPS thresholds and setMasks bits. The last DBR has a very high QPS limit and setMasks configured to /16 (for IPv4) to protect against highly distributed DoS attacks. For each of these DBRs, I have excluded several subnets (using excludeRange) from which I receive high volumes of legitimate traffic.
However, traffic from one of the excluded subnets (a /21), in combination with high volumes of traffic from other parts of the /16, still results in the entire /16 being blocked by the third DBR (the one with setMasks set to 16 bits). I would expect traffic from excluded subnets not to count towards the QPS threshold.
I understand that excludeRange prevents dynamic blocks from being inserted for clients in these excluded ranges, but only if the excluded subnet has a netmask lower than setMasks, which is why I think it would make sense to exclude this traffic from counting towards the various threshold, including QPS.
Environment
- Operating system: Ubuntu 22.04
- Software version: dnsdist 1.9.6
- Software source: PowerDNS repository
Steps to reproduce
- Create a Dynamic Block Rule with an
excludeRange (the QPS threshold is lowered here to make it easier to trigger):
local dbr = dynBlockRulesGroup()
dbr:excludeRange({'1.2.32.0/21'})
dbr:setMasks(16, 32, 0)
dbr:setQueryRate(50, 10, "dbr: Exceeded threshold", 60)
- Generate a lot of traffic from the excluded subnets
- dbr is triggered and 1.2.0.0/16 is blocked
Expected behaviour
Traffic from the excluded subnet should not count towards the QPS threshold and the /16 subnet should not get blocked (unless non-excluded parts of the subnet exceed the threshold limit, of course)
Actual behaviour
Traffic from the excluded subnets is counted towards the QPS threshold and is blocked
Other information
Short description
I'm not sure if this should be filed as a feature request instead of a bug report, but I feel like this is somewhat unexpected. Please let me know if I should open a feature request instead.
I have configured three Dynamic Block Rules (DBRs) with varying QPS thresholds and
setMasksbits. The last DBR has a very high QPS limit andsetMasksconfigured to /16 (for IPv4) to protect against highly distributed DoS attacks. For each of these DBRs, I have excluded several subnets (usingexcludeRange) from which I receive high volumes of legitimate traffic.However, traffic from one of the excluded subnets (a /21), in combination with high volumes of traffic from other parts of the /16, still results in the entire /16 being blocked by the third DBR (the one with
setMasksset to 16 bits). I would expect traffic from excluded subnets not to count towards the QPS threshold.I understand that
excludeRangeprevents dynamic blocks from being inserted for clients in these excluded ranges, but only if the excluded subnet has a netmask lower thansetMasks, which is why I think it would make sense to exclude this traffic from counting towards the various threshold, including QPS.Environment
Steps to reproduce
excludeRange(the QPS threshold is lowered here to make it easier to trigger):Expected behaviour
Traffic from the excluded subnet should not count towards the QPS threshold and the /16 subnet should not get blocked (unless non-excluded parts of the subnet exceed the threshold limit, of course)
Actual behaviour
Traffic from the excluded subnets is counted towards the QPS threshold and is blocked
Other information