From f59e66a8ac3d2231764184ceb89abb0c1b06d0b1 Mon Sep 17 00:00:00 2001
From: Nathan Woodburn <github@nathan.woodburn.au>
Date: Fri, 15 Aug 2025 17:21:23 +1000
Subject: [PATCH] feat: Update dnsdist config

---
 dnsdist.conf | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/dnsdist.conf b/dnsdist.conf
index ce96690..6f81c13 100644
--- a/dnsdist.conf
+++ b/dnsdist.conf
@@ -1,9 +1,9 @@
 -- --- Dynamic block rules
 local dbr = dynBlockRulesGroup()
-dbr:setQueryRate(20, 10, "Exceeded query rate", 60)
-dbr:setRCodeRate(DNSRCode.NXDOMAIN, 15, 10, "Exceeded NXD rate", 60)
-dbr:setRCodeRate(DNSRCode.SERVFAIL, 15, 10, "Exceeded ServFail rate", 60)
-dbr:setQTypeRate(DNSQType.ANY, 3, 10, "Exceeded ANY rate", 60)
+dbr:setQueryRate(300, 10, "Exceeded query rate", 60)
+dbr:setRCodeRate(DNSRCode.NXDOMAIN, 50, 10, "Exceeded NXD rate", 60)
+dbr:setRCodeRate(DNSRCode.SERVFAIL, 30, 10, "Exceeded ServFail rate", 60)
+dbr:setQTypeRate(DNSQType.ANY, 1, 10, "Exceeded ANY rate", 60)
 dbr:setResponseByteRate(8000, 10, "Exceeded resp BW rate", 60)
 
 function maintenance()
@@ -11,15 +11,16 @@ function maintenance()
 end
 dbr:apply()
 
--- --- Protect against large UDP amplification
--- dnsdist 2.0.0 does not support setMaxUDPSize() or TruncateAction()
--- Use ednsUDPSize in setLocal() to advertise max UDP size
--- Clients requesting larger responses will be truncated automatically
-
 -- --- Basic query mitigations
-addAction(QTypeRule(DNSQType.ANY), DropAction())              -- Drop ANY queries
+addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.REFUSED)) -- Block ANY queries
 addAction(AndRule{QClassRule(3), QNameRule("version.bind")}, DropAction()) -- Block version.bind
 
+-- Max QPS per client
+addAction(MaxQPSIPRule(25, 24), DelayAction(50))   -- gentle delay instead of drop
+addAction(MaxQPSIPRule(25, 64), DelayAction(100))  -- longer window, slightly longer delay
+addAction(AndRule{MaxQPSIPRule(10), TCPRule(false)}, TCAction())
+
+
 -- Drop queries to local TLDs
 local sldsToDrop = newSuffixMatchNode()
 sldsToDrop:add("lan.")
@@ -40,10 +41,7 @@ if tldsFile then
 end
 
 
--- Max QPS per client
-addAction(MaxQPSIPRule(15, 24), DropAction())
-addAction(MaxQPSIPRule(15, 64), DropAction())
-addAction(AndRule{MaxQPSIPRule(5), TCPRule(false)}, TCAction())
+
 
 -- --- Upstream servers
 -- Public resolvers for official TLDs
@@ -66,14 +64,14 @@ localUpstream:setUp()
 -- If domain matches official TLDs -> use tldPool
 addAction(SuffixMatchNodeRule(tldNode), PoolAction("tldPool"))
 
--- Everything else -> use local upstream
--- addAction(PassAction())  -- Queries fall through to defaultPool
--- setServerPolicy("defaultPool")
-
+-- Cacheing
+pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
+getPool(""):setCache(pc)
+getPool("tldPool"):setCache(pc)
 
 
 -- --- Local listeners
-addLocal('0.0.0.0:53', { reusePort = true, ednsUDPSize = 1232 })  -- limit UDP response size
+addLocal('0.0.0.0:53', { reusePort = true, tcpFastOpenQueueSize=4096 })
 addTLSLocal('0.0.0.0', '/etc/letsencrypt/live/hnsdoh.com/fullchain.pem',
     '/etc/letsencrypt/live/hnsdoh.com/privkey.pem', { reusePort = true })
 
@@ -100,3 +98,6 @@ end
 -- --- Control socket & key
 setKey("csl2icaGACsP3+M9tx55c8+dBxVCnlnqAHEC92P55eo=")
 controlSocket('127.0.0.1:5199')
+
+-- webserver("0.0.0.0:5000")
+-- setWebserverConfig({password="woodburn", apiKey="woodburn", acl="0.0.0.0/0"})
\ No newline at end of file