<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Details</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REL="HOME" TITLE="PowerDNS manual" HREF="index.html"><LINK REL="UP" TITLE="PowerDNS resolver/recursing nameserver" HREF="built-in-recursor.html"><LINK REL="PREVIOUS" TITLE="PowerDNS Recursor performance" HREF="recursor-performance.html"><LINK REL="NEXT" TITLE="Statistics" HREF="recursor-stats.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >PowerDNS manual</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="recursor-performance.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 12. PowerDNS resolver/recursing nameserver</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="recursor-stats.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="RECURSOR-DETAILS" >12.4. Details</A ></H1 ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="ANTI-SPOOFING" >12.4.1. Anti-spoofing</A ></H2 ><P > The PowerDNS recursor 3.0 uses a fresh UDP source port for each outgoing query, making spoofing around 64000 times harder. This raises the bar from 'easily doable given some time' to 'very hard'. Under some circimstances, 'some time' has been measured at 2 seconds. This technique was first used by <TT CLASS="FILENAME" >dnscache</TT > by Dan J. Bernstein. </P ><P > In addition, PowerDNS detects when it is being sent too many unexpected answers, and mistrusts a proper answer if found within a clutch of unexpected ones. </P ><P > This behaviour can be tuned using the <B CLASS="COMMAND" >spoof-nearmiss-max</B >. </P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN3426" >12.4.2. Throttling</A ></H2 ><P > PowerDNS implements a very simple but effective nameserver. Care has been taken not to overload remote servers in case of overly active clients. </P ><P > This is implemented using the 'throttle'. This accounts all recent traffic and prevents queries that have been sent out recently from going out again. </P ><P > There are three levels of throttling. <P ></P ><UL ><LI ><P > If a remote server indicates that it is lame for a zone, the exact question won't be repeated in the next 60 seconds. </P ></LI ><LI ><P > After 4 ServFail responses in 60 seconds, the query gets throttled too. </P ></LI ><LI ><P > 5 timeouts in 20 seconds also lead to query suppression. </P ></LI ></UL > </P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="recursor-performance.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="recursor-stats.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >PowerDNS Recursor performance</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="built-in-recursor.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Statistics</TD ></TR ></TABLE ></DIV ></BODY ></HTML >