[nsd-users] RRL: Whitelist based on client IP address

Guillaume-Jean Herbiet gjherbiet at restena.lu
Thu Aug 9 10:18:30 CEST 2018


Hi,

Simple, and possibly silly, question:

I am migrating a config from BIND to NSD (4.1.23) that has rate-limit:

rate-limit {
  responses-per-second 100;
  slip 2;
  ipv4-prefix-length 32;
  ipv6-prefix-length 64;
  exempt-clients { ... };
}

Hence, I have set the following in my NSD config:

rrl-ratelimit: 100
rrl-slip: 2
rrl-ipv4-prefix-length: 32
rrl-ipv6-prefix-length: 64
rrl-whitelist-ratelimit: 0

I would like to apply the 'rrl-whitelist-ratelimit' to some clients
(identified by source IP) to mimic the 'exempt-clients' option in BIND.

The closest thing I have seen in the '' zone options.

Is RRL whitelisting based on client IP address available in NSD and how
to achieve it?

If not, is NOTIFY/AXFR from/to master servers counted in the RLL?

Thanks in advance.

-- 
Guillaume-Jean Herbiet, PhD
System engineer

Fondation RESTENA / dns.lu
2, avenue de l'Université
L-4365 Esch-sur-Alzette
tel.: +352.424409
fax.: +352.422473
https://www.restena.lu  https://www.dns.lu

Public key ID: 0x3A4C47C7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://open.nlnetlabs.nl/pipermail/nsd-users/attachments/20180809/271afe13/attachment.sig>


More information about the nsd-users mailing list