[c-nsp] rate limit dns

[Phil Mayers]

On 03/01/14 12:19, Gert Doering wrote:

> Well, my "real world" numbers on FreeBSD+unbound+pf are: if I enable
> state tracking in pf, it will about double CPU usage.

Very interesting. This was under "normal" rather than "attack" load, yes?

> The system in question did not have much CPU to spare, so this led to
> DNS queries sometimes being dropped, which resulted in poor user
> experience.

Ugh. I bet it was delightful to troubleshoot as well...