Wikidough/Notes

Block an IP address or multiple IP addresses

ATTENTION: This step should only be undertaken for preventing abuse of the service.

Add an IP block rule

To block a specific IP address from connecting to Wikidough, run the command below replacing the example IP with the actual IP:

$ sudo cumin 'A:wikidough' "dnsdist -e addAction({'172.217.12.238/32'}, DropAction())"

To block multiple IPs:

$ sudo cumin 'A:wikidough' "dnsdist -e addAction({'172.217.12.0/24', '1.1.1.1/32'}, DropAction())"

Remove an IP block rule

On any Wikidough host (let's go with doh1001), find the rule number you want to remove (first column of the output of the command below):

sukhe@doh1001:~$ sudo dnsdist -e "showRules()"

Note the rule number you want to delete (assuming for example it is 5) and then rmRule it on all hosts:

$ sudo cumin 'A:wikidough' "dnsdist -e rmRule(5)"

Notes

• This is a dynamic rule and does not require a restart of the dnsdist service.
• Please specify the IP address in CIDR format. This means that 1.1.1.1/32 is fine, 1.1.1.1 is not.

Rate-limit IP addresses

Add rate-limiting rule

To rate-limit IP addresses (maximum number of queries allowed per address), use the MaxQPSIPRule() selector. For example, to set the allowed queries per second to 40 (with an equivalent burst), matching on a /32 IPv4 and /64 IPv6:

$ sudo cumin 'A:wikidough' "dnsdist -e addAction(MaxQPSIPRule(40, 32, 64), DropAction())"

Remove rate-limiting rule

To remove a rate-limiting rule, follow the same steps as in removing an IP block rule.