8 Bře
2025
8 Bře
'25
8:44
Randy,
First, what is your Knot DNS version?
What do Knot/RRL logs look like?
You can use mod-cookies without mod-rrl, but this setup doesn't provide
defense against reflection attacks. Please keep in mind that DNS cookies
are OPTIONAL, so attackers wouldn't use them! The only benefit is that
resolvers know, if they use cookies, that responses originate from your Knot.
Daniel
On 3/7/25 19:03, Randy Bush wrote:
is there any guidance on using mod-rrl on a public
server with a
moderate load, say 6kqps? we have rtfm, and remain unsure of
what we are doing. we want cookies, and therefore need to turn
rrl on. but with it turned on, we seem to drop a *lot* of
replies, a lot.
mod-rrl:
- id: default
rate-limit: 200
slip: 2
randy
--