[master] DDoS mitigation features

3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]
2025-09-05 09:05:40 +00:00 · 2015-07-08 22:53:39 -07:00
parent e8f98ec8d4
commit 1479200aa0
41 changed files with 1976 additions and 102 deletions
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -15,8 +15,6 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: log.c,v 1.49 2011/10/13 22:48:24 tbox Exp $ */
-
 /*! \file */

 /* Principal Authors: DCL */
@@ -47,6 +45,7 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "rpz",	0 },
 	{ "rate-limit",	0 },
 	{ "cname",	0 },
+	{ "spill",	0 },
 	{ NULL, 	0 }
 };