Pull request 187: 6368-ratelimit-subnet-len

Squashed commit of the following:

commit 0dbe30782be1069d43d3f615a286325bc72f75a3
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Nov 9 14:22:31 2023 +0300

    Configuration: fix typo

commit 53c94724f7d6178c15dc699b0de631edb5ebb064
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Nov 8 17:51:57 2023 +0300

    Configuration: imp docs

commit 2f0dbdad69a4c571cc4dba53ce87d5dcecc55b40
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Tue Nov 7 20:23:36 2023 +0300

    Configuration: ratelimit subnet len
Stanislav Chzhen 2023-11-09 16:44:47 +03:00
parent a3c6e0cecd
commit 3081c32be0
1 changed files with 14 additions and 3 deletions

@ -467,9 +467,20 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
- **Before v0.107.24** query log settings were part of the `dns` object. - **Before v0.107.24** query log settings were part of the `dns` object.
**Since v0.107.24** query log settings are part of `querylog` object. **Since v0.107.24** query log settings are part of `querylog` object.
- **Anti-DNS amplification features** - **Anti-DNS amplification features**
- `ratelimit` — DDoS protection, specifies in how many packets per second a client should receive. Anything above that is silently dropped. To disable set 0, default is 20. Safe to disable if DNS server is not available from internet. - `ratelimit`: DDoS protection, specifies how many queries per second
- `ratelimit_whitelist` — If you want exclude some IP addresses from ratelimiting but keep ratelimiting on for others, put them here. AdGuard Home should handle. Anything above that is silently dropped. To
- `refuse_any` — Another DDoS protection mechanism. Requests of type ANY are rarely needed, so refusing to serve them mitigates against attackers trying to use your DNS as a reflection. Safe to disable if DNS server is not available from internet. disable set to `0`, default is `20`. Safe to disable if DNS server is not
available from internet.
- `ratelimit_subnet_len_ipv4`: Subnet length for IPv4 addresses used for
rate limiting requests. Default is `24`.
- `ratelimit_subnet_len_ipv6`: Subnet length for IPv6 addresses used for
rate limiting requests. Default is `56`.
- `ratelimit_whitelist`: If you want exclude some IP addresses from
ratelimiting but keep ratelimiting on for others, put them here.
- `refuse_any`: Another DDoS protection mechanism. Requests of type `ANY`
are rarely needed, so refusing to serve them mitigates against attackers
trying to use your DNS as a reflection. Safe to disable if DNS server is
not available from internet.
- **Upstream DNS servers settings:** - **Upstream DNS servers settings:**
- `upstream_dns`: List of upstream DNS servers. - `upstream_dns`: List of upstream DNS servers.