mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
[master] DDoS mitigation features
3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
This commit is contained in:
@@ -173,6 +173,8 @@ options {\n\
|
||||
dnssec-enable yes;\n\
|
||||
dnssec-validation yes; \n\
|
||||
dnssec-accept-expired no;\n\
|
||||
fetches-per-zone 0;\n\
|
||||
fetch-quota-params 100 0.1 0.3 0.7;\n\
|
||||
clients-per-query 10;\n\
|
||||
max-clients-per-query 100;\n\
|
||||
max-recursion-depth 7;\n\
|
||||
@@ -180,6 +182,7 @@ options {\n\
|
||||
zero-no-soa-ttl-cache no;\n\
|
||||
nsec3-test-zone no;\n\
|
||||
allow-new-zones no;\n\
|
||||
fetches-per-server 0;\n\
|
||||
"
|
||||
#ifdef HAVE_GEOIP
|
||||
"\
|
||||
|
Reference in New Issue
Block a user