[0xbadcafebee]

Who's blocking 670M requests a day? Which requests? From all of France to Quad9? Or all of the whole world's requests to Quad9? It doesn't say anything about that in the article... In any case, 670M DNS requests a day * ~512 bytes (a DNS request is much smaller than this) = 31.76Mbps. Not a tiny amount of traffic, but doable for 1 server.

Assuming this is total blocks for all of Quad9 globally? Spread this over 4 nameservers in a region (assuming anycast), with let's say 4 global regions (to be conservative)? That would be 1.985Mbps per server. That's (max!) 484 DNS requests per second, with 1/500th the bandwidth.

DNS is probably the fastest protocol on the internet other than ICMP. You can handle a ton of traffic with minimal hardware. Bump up the CPU to handle more interrupts/iptables rules. Buy a NIC with packet offload for even less CPU use (thus handling more requests). And eBPF & XDP would be much faster than netfilter.

If you were already gonna accept the request, process it, and send back a reply, dropping the packet doesn't cost you anything. It actually saves bandwidth, tx interrupts, and possibly CPU cycles.

[kees99]

> eBPF & XDP would be much faster than netfilter.

Netfilter is plenty fast, when configured sensibly. You'd probably want script to populate a "hash:net" ipset instead, and have just one iptables rule:

  -A INPUT \
    -m set --match-set geoblock \
    -j DROP

(where "geoblock" is aforementioned set)

[strictnein]

> Who's blocking 670M requests a day

Do you even know what Quad9 does or why it's a thing?

Are you honestly suggesting they just need to add a couple CPUs and some different NICs?