pi-hole · yubiuser · Feb 26, 2022 · Feb 19, 2022 · Feb 19, 2022 · Feb 20, 2022
diff --git a/scripts/pi-hole/php/FTL.php b/scripts/pi-hole/php/FTL.php
@@ -8,12 +8,12 @@
 
 $piholeFTLConfFile = "/etc/pihole/pihole-FTL.conf";
 
-function piholeFTLConfig()
+function piholeFTLConfig($force=false)
 {
 	static $piholeFTLConfig;
 	global $piholeFTLConfFile;
 
-	if(isset($piholeFTLConfig))
+	if(isset($piholeFTLConfig) && !$force)
 	{
 		return $piholeFTLConfig;
 	}

diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php
@@ -352,6 +352,13 @@ function addStaticDHCPLease($mac, $ip, $hostname) {
 				}
 				pihole_execute("-a -i ".$DNSinterface." -web");
 
+				// Add rate-limiting settings
+				if(isset($_POST["rate_limit_count"]) && isset($_POST["rate_limit_interval"]))
+				{
+					// Restart of FTL is delayed
+					pihole_execute("-a ratelimit " . intval($_POST["rate_limit_count"]) . " " . intval($_POST["rate_limit_interval"]) . " false");
+				}
+
 				// If there has been no error we can save the new DNS server IPs
 				if(!strlen($error))
 				{

diff --git a/settings.php b/settings.php
@@ -10,7 +10,7 @@
 require_once "scripts/pi-hole/php/FTL.php";
 // Reread ini file as things might have been changed
 $setupVars = parse_ini_file("/etc/pihole/setupVars.conf");
-$piholeFTLConf = piholeFTLConfig();
+$piholeFTLConf = piholeFTLConfig(true);
 
 // Handling of PHP internal errors
 $last_error = error_get_last();
@@ -718,6 +718,19 @@ function convertseconds($argument)
                     </form>
                 </div>
                 <!-- ######################################################### DNS ######################################################### -->
+                <?php
+                    // Use default
+                    $rate_limit_count = 1000;
+                    $rate_limit_interval = 60;
+                    // Get rate limit from piholeFTL config array
+                    if (isset($piholeFTLConf["RATE_LIMIT"])) {
+                        $rl = explode("/", $piholeFTLConf["RATE_LIMIT"]);
+                        if(count($rl) == 2) {
+                            $rate_limit_count = intval($rl[0]);
+                            $rate_limit_interval = intval($rl[1]);
+                        }
+                    }
+                ?>
                 <div id="dns" class="tab-pane fade<?php if($tab === "dns"){ ?> in active<?php } ?>">
                     <form role="form" method="post">
                         <div class="row">
@@ -934,6 +947,21 @@ function convertseconds($argument)
                                                     <a href="https://dnssec.vs.uni-due.de/" rel="noopener" target="_blank">here</a>.</p>
                                                 </div>
                                                 <br>
+                                                <h4><a id="ratelimit"></a>Rate-limiting</h4>
+                                                <p>Block clients making more than <input type="number" name="rate_limit_count" value="<?=$rate_limit_count?>" min="0" step="10" style="width: 5em;"> queries within
+                                                <input type="number" name="rate_limit_interval" value="<?=$rate_limit_interval?>" min="0" step="10" style="width: 4em;"> seconds.</p>
+                                                <p>When a client makes too many queries in too short time, it
+                                                gets rate-limited. Rate-limited queries are answered with a
+                                                <code>REFUSED</code> reply and not further processed by FTL
+                                                and prevent Pi-holes getting overwhelmed by rogue clients.
+                                                It is important to note that rate-limiting is happening on a
+                                                per-client basis. Other clients can continue to use FTL while
+                                                rate-limited clients are short-circuited at the same time.</p>
+                                                <p>Rate-limiting may be disabled altogether by setting both
+                                                values to zero. See
+                                                <a href="https://docs.pi-hole.net/ftldns/configfile/#rate_limit" target="_blank">our documentation</a>
+                                                for further details.</p>
+                                                <br>
                                                 <h4>Conditional forwarding</h4>
                                                 <p>If not configured as your DHCP server, Pi-hole typically won't be able to
                                                    determine the names of devices on your local network.  As a