diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml index 23e9c92026..86da4c659b 100644 --- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml +++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml @@ -153,28 +153,124 @@ true This will disable prefetching of domains before they time out. + + header + + true + general.enableratelimiting checkbox true - This will enable rate-limiting for DNS replies. + This will enable rate-limiting for DNS responses. general.ratelimitcount - + + text + true + Set how many non-empty responses are allowed per second for valid domain names and record types. The default is 0 or no limit. + + + general.ratelimitwindow + text true - Set how many replies per second are allowed. + Set the number of second during which responses are tracked. The default is 15 seconds. general.ratelimitexcept - + select_multiple true true - Except a list of IPs from rate-limiting like ::1 + Exempt a list of IPs from rate-limiting, e.g. ::1 + + + general.ratelimitipv4prefixlength + + text + true + Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 24. + + + general.ratelimitipv6prefixlength + + text + true + Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 56. + + + general.ratelimitnodataps + + text + true + Set how many empty (NODATA) responses are allowed per second for valid domain names. The default is equal to the Responses Per Second value. + + + general.ratelimitnxdomsps + + text + true + Set how many NXDOMAIN errors are allowed per second for undefined subdomains for valid domain names. The default is equal to the Responses Per Second value. + + + general.ratelimitrefsps + + text + true + Set how many referrals or delegations are allowed per second to a server for a given domain. The default is equal to the Responses Per Second value. + + + general.ratelimiterrsps + + text + true + Set how many errors are allowed per second for valid domain names and record types. The default is equal to the Responses Per Second value. + + + general.ratelimitallps + + text + true + Set how many UDP responses of all types are allowed per second. If used, this should be set to 4 times the size of other per second limits. + + + general.ratelimitslip + + text + true + Set how often to "slip" responses, reducing the use of forged source addresses in attacks. The default is 2, i.e. every second response. Use a value of 0 to disable slipped responses. Use a value of 1 with caution. + + + general.ratelimitscale + + text + true + Set the ratio by which to scale back the Responses Per Second value during attacks. The formula used to produce the new value is ("QPS Scale"/Total Query Rate)*"Responses Per Second". + + + general.ratelimitmaxtbl + + text + true + Set the maximum number of table entries used to track requests and rate-limit responses. The default is 20,000. + + + general.ratelimitmintbl + + text + true + Set the minimum number of table entries used to track requests and rate-limit responses. The default is 500. + + + general.ratelimittry + + checkbox + true + Enable to test rate-limiting parameters without actually dropping any requests. header diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml index 238c9dc248..a71297f642 100644 --- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml +++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml @@ -1,7 +1,7 @@ //OPNsense/bind/general BIND configuration - 1.0.12 + 1.0.13 0 @@ -146,11 +146,75 @@ 1000 Choose a value between 1 and 1000. + + 1 + 3600 + Choose a value between 1 and 3600. + 0.0.0.0,:: Y Y + + 1 + 32 + Choose a value between 1 and 32. + + + 1 + 128 + Choose a value between 1 and 128. + + + 1 + 1000 + Choose a value between 1 and 1000. + + + 1 + 1000 + Choose a value between 1 and 1000. + + + 1 + 1000 + Choose a value between 1 and 1000. + + + 1 + 1000 + Choose a value between 1 and 1000. + + + 1 + 1000 + Choose a value between 1 and 1000. + + + 0 + 10 + Choose a value between 0 and 10. + + + 1 + 1000 + Choose a value between 1 and 1000. + + + 1 + 100000 + Choose a value between 1 and 100,000. + + + 1 + 100000 + Choose a value between 1 and 100,000. + + + 0 + N + Y hmac-sha256 diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf index 9196b5de3e..3e6fa46b0d 100644 --- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf +++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf @@ -92,9 +92,48 @@ options { {% if helpers.exists('OPNsense.bind.general.enableratelimiting') and OPNsense.bind.general.enableratelimiting == '1' %} {% if helpers.exists('OPNsense.bind.general.ratelimitcount') and OPNsense.bind.general.ratelimitcount != '' %} rate-limit { - responses-per-second {{ OPNsense.bind.general.ratelimitcount }}; + responses-per-second {{ OPNsense.bind.general.ratelimitcount }}; +{% if helpers.exists('OPNsense.bind.general.ratelimitwindow') and OPNsense.bind.general.ratelimitwindow != '' %} + window {{ OPNsense.bind.general.ratelimitwindow }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitipv4prefixlength') and OPNsense.bind.general.ratelimitipv4prefixlength != '' %} + ipv4-prefix-length {{ OPNsense.bind.general.ratelimitipv4prefixlength }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitipv6prefixlength') and OPNsense.bind.general.ratelimitipv6prefixlength != '' %} + ipv6-prefix-length {{ OPNsense.bind.general.ratelimitipv6prefixlength }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitnodataps') and OPNsense.bind.general.ratelimitnodataps != '' %} + nodata-per-second {{ OPNsense.bind.general.ratelimitnodataps }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitnxdomsps') and OPNsense.bind.general.ratelimitnxdomsps != '' %} + nxdomains-per-second {{ OPNsense.bind.general.ratelimitnxdomsps }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitrefsps') and OPNsense.bind.general.ratelimitrefsps != '' %} + referrals-per-second {{ OPNsense.bind.general.ratelimitrefsps }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimiterrsps') and OPNsense.bind.general.ratelimiterrsps != '' %} + errors-per-second {{ OPNsense.bind.general.ratelimiterrsps }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitallps') and OPNsense.bind.general.ratelimitallps != '' %} + all-per-second {{ OPNsense.bind.general.ratelimitallps }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitslip') and OPNsense.bind.general.ratelimitslip != '' %} + slip {{ OPNsense.bind.general.ratelimitslip }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitscale') and OPNsense.bind.general.ratelimitscale != '' %} + qps-scale {{ OPNsense.bind.general.ratelimitscale }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitmaxtbl') and OPNsense.bind.general.ratelimitmaxtbl != '' %} + max-table-size {{ OPNsense.bind.general.ratelimitmaxtbl }}; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimitmintbl') and OPNsense.bind.general.ratelimitmintbl != '' %} + min-table-size {{ OPNsense.bind.general.ratelimitmintbl }}; +{% endif %} {% if helpers.exists('OPNsense.bind.general.ratelimitexcept') and OPNsense.bind.general.ratelimitexcept != '' %} - exempt-clients { {{ OPNsense.bind.general.ratelimitexcept.replace(',', '; ') }}; }; + exempt-clients { {{ OPNsense.bind.general.ratelimitexcept.replace(',', '; ') }}; }; +{% endif %} +{% if helpers.exists('OPNsense.bind.general.ratelimittry') and OPNsense.bind.general.ratelimittry != '' %} + log-only {{ OPNsense.bind.general.ratelimittry }}; {% endif %} }; {% endif %}