linux

Limit the frequency of queries to the DNS server through iptables. Help with recent module

I was puzzled by preventing my public recursive DNS server from being used as a shoulder for DDOSa. With PowerDNS Recursor, RRLs are not yet available to me (in a stable version), so I decided to limit the number of requests from one IP using iptables. Testing with dnsperf . The rules are as follows (DNS clipping):

Chain INPUT:
pkts bytes target prot opt ​​in out source destination
5830 486K my-service all - * * 0.0.0.0/0 <my_ip> ctstate NEW

Chain my-service (1 references):
2429 161K rec-dns udp - * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain rec-dns (1 references)
pkts bytes target prot opt ​​in out source destination
289 18908 DROP all - * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 20 name: DNSQF side: source mask: 255.255.255.255
25 1666 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/ 0 recent: SET name: DNSQF side: source mask: 255.255.255.255

The setting is synthetic, logically, one request should go through in 20 seconds. But in practice I have the following:
tail -n 1000 < queryfile-example-current | ./dnsperf -s <my_ip>
DNS Performance Testing Tool
Nominum Version 2.0.0.0

[Status] Command line: dnsperf -s <my_ip>
[Status] Sending queries (to <my_ip>)
[Status] Started at: Tue Apr 2 17 :36:22 2013
[Status] Stopping after 1 run through file
[Timeout] Query timed out: msg id 88
[Timeout] Query timed out: msg id 89
[Timeout] Query timed out: msg id 90
[Timeout] Query timed out: msg id 91
[Timeout] Query timed out: msg id 92
[Timeout] Query timed out: msg id 93
[Timeout] Query timed out: msg id 94
[Timeout] Query timed out: msg id 95
[Timeout] Query timed out: msg id 96
[Timeout] Query timed out: msg id 97
[Timeout] Query timed out: msg id 98
[Timeout] Query timed out: msg id 99
[Timeout] Query timed out: msg id 100
[Timeout] Query timed out: msg id 431
[Timeout] Query timed out: msg id 538
Warning: received a response with an unexpected (maybe timed out) id: 538
[Status] Testing complete (end of file)

Statistics:

Queries sent: 1000
Queries completed: 985 (98.50%)
Queries lost: 15 (1.50%)

Response codes: NOERROR 850 (86.29%), SERVFAIL 11 (1.12%), NXDOMAIN 124 (12.59%)
Average packet size: request 37, response 101
Run time (s): 7.061558
Queries per second: 139.487631

Average Latency (s): 0.328673 (min 0.010320, max 4.438407)
Latency StdDev (s): 0.466997

Why are there 139 requests per second? oh how so? At once repeated request the situation does not change. If you do iptables -Z, then at the first request after this, the stats in iptables will be as follows:
pkts bytes target prot opt ​​in out source destination
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 20 name: DNSQF side: source mask: 255.255.255.255
1 86 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: DNSQF side: source mask: 255.255.255.255

That is, either I didn’t understand the rules of the recent module, or somewhere something cached. I disabled the running unscd just in case. Brains are already melting, tell me, please.