RRL should go after dnsproxy
I am thinking of putting knot as the public-facing server and enable RRL on it. However, I noticed that rate limiting comes before forwarding the unsatisfied query to the remote backend. This means effectively that all the queries will be rate limited by error classification.
Wouldn't it be better to apply ratelimits after all stages of the query plan have been processed? In other words, rate limit based on the final response, rather than an intermediate state. This way you can truly use knot as a rate-limiting, public-facing server protecting your backend name server.