rate limiting per client IP

[0xERR0R]

It should be possible to configure rate limit per client

[ThinkChaos]

I'm not against adding this, but I think we should at make it clear in the docs this isn't enough if you want to prevent (D)DOS and is more for broken clients/someone testing too aggressively.
That being said, IMO something like fail2ban/crowdsec would be a better tool to achieve this since it works with a firewall and will avoid the cost of blocky processing more requests by that client just to ignore them, and can block all traffic from the offenders.

[0xERR0R]

Yes, absolutely agree. I think, we should provide a basic layer of security out of the box. This is the same thing as SSL certificate. It is better to configure SSL termination in a reverse proxy and put blocky behind it without any encryption. But for users who just want to run blocky on a small edge device it is too much overhead.

[h3ndrik]

Hey, can we get this feature? Or at least some documentation on how to configure fail2ban or something? Today I found out I was sending out 8MB/s of traffic constantly and involuntarily participating in some DNS amplification attacks.

I suppose even for fail2ban we need some rate-limiting implemented inside Blocky so it outputs something to the log if that's exceeded, so fail2ban has some log message to match against.

Until then, it maybe would be wise to include a warning in the Readme, not to run unprotected public DNS servers.