From 3081c32be06f5c8104961c8602023f3daab7fb32 Mon Sep 17 00:00:00 2001
From: Stanislav Chzhen <s.chzhen@adguard.com>
Date: Thu, 9 Nov 2023 16:44:47 +0300
Subject: [PATCH] Pull request 187: 6368-ratelimit-subnet-len

Squashed commit of the following:

commit 0dbe30782be1069d43d3f615a286325bc72f75a3
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Thu Nov 9 14:22:31 2023 +0300

    Configuration: fix typo

commit 53c94724f7d6178c15dc699b0de631edb5ebb064
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Wed Nov 8 17:51:57 2023 +0300

    Configuration: imp docs

commit 2f0dbdad69a4c571cc4dba53ce87d5dcecc55b40
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Tue Nov 7 20:23:36 2023 +0300

    Configuration: ratelimit subnet len
---
 Configuration.md | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/Configuration.md b/Configuration.md
index 77de7e2..a7df750 100644
--- a/Configuration.md
+++ b/Configuration.md
@@ -467,9 +467,20 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
     - **Before v0.107.24** query log settings were part of the `dns` object.
       **Since v0.107.24** query log settings are part of `querylog` object.
   - **Anti-DNS amplification features**
-    - `ratelimit` — DDoS protection, specifies in how many packets per second a client should receive. Anything above that is silently dropped. To disable set 0, default is 20. Safe to disable if DNS server is not available from internet.
-    - `ratelimit_whitelist` — If you want exclude some IP addresses from ratelimiting but keep ratelimiting on for others, put them here.
-    - `refuse_any` — Another DDoS protection mechanism. Requests of type ANY are rarely needed, so refusing to serve them mitigates against attackers trying to use your DNS as a reflection. Safe to disable if DNS server is not available from internet.
+    - `ratelimit`: DDoS protection, specifies how many queries per second
+      AdGuard Home should handle.  Anything above that is silently dropped. To
+      disable set to `0`, default is `20`.  Safe to disable if DNS server is not
+      available from internet.
+    - `ratelimit_subnet_len_ipv4`: Subnet length for IPv4 addresses used for
+      rate limiting requests.  Default is `24`.
+    - `ratelimit_subnet_len_ipv6`: Subnet length for IPv6 addresses used for
+      rate limiting requests.  Default is `56`.
+    - `ratelimit_whitelist`: If you want exclude some IP addresses from
+      ratelimiting but keep ratelimiting on for others, put them here.
+    - `refuse_any`: Another DDoS protection mechanism.  Requests of type `ANY`
+      are rarely needed, so refusing to serve them mitigates against attackers
+      trying to use your DNS as a reflection.  Safe to disable if DNS server is
+      not available from internet.
   - **Upstream DNS servers settings:**
     - `upstream_dns`: List of upstream DNS servers.