[knot-dns-users] tcp ddos

so, school is out and the children are on the loose 2024-06-10T21:27:24.199750+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2620:171:c2::49@33322 2024-06-10T21:27:24.200561+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 167.99.160.10@14871 2024-06-10T21:27:24.200642+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 34.223.46.240@53392 2024-06-10T21:27:24.201218+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 167.99.160.10@2011 2024-06-10T21:27:24.201422+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 81.106.125.151@54192 2024-06-10T21:27:24.203263+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 34.223.46.240@53398 2024-06-10T21:27:24.203643+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 139.99.166.37@42942 2024-06-10T21:27:25.199585+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 3.228.173.229@34084 2024-06-10T21:27:25.199678+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 76.93.200.106@10371 2024-06-10T21:27:25.200951+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2a02:6b8:c04:262:0:433f:1:3@33586 2024-06-10T21:27:25.201029+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2600:3c09::f03c:93ff:fea9:4de0@54166 2024-06-10T21:27:25.201207+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 118.99.2.29@33170 2024-06-10T21:27:25.201385+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 213.187.92.252@40559 2024-06-10T21:27:26.200340+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 2a02:6b8:c04:262:0:433f:1:3@33594 2024-06-10T21:27:26.200529+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 40.79.144.82@59683 2024-06-10T21:27:26.203837+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 103.85.93.93@60578 2024-06-10T21:27:26.205102+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 13.244.33.51@33812 2024-06-10T21:27:27.208589+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 18.139.204.179@46824 2024-06-10T21:27:27.210062+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 20.125.201.35@63627 2024-06-10T21:27:27.331742+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 172.217.37.144@64719 2024-06-10T21:27:27.332050+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 191.233.201.73@61718 2024-06-10T21:27:27.391797+00:00 rip knotd[1389]: notice: TCP, terminated inactive client, address 81.106.125.151@50624 like tens of thousands. some children are like that. so, we take this as an opportunity to learn a bit more about knot tuning we shortened `tcp-idle-timeout: 2` we set `tcp-max-clients: 20` rate limiting seems unlikely to improve things as it is many sources, a DDos what else are we missing? btw, it also whacked knot enough that it failed a resign cycle and we had to add `unsafe-operation: no-check-keyset` to get back to signing. clues appreciated. this can't be the only neighborhood with children. randy