The OP mentions it's only one "domain" being queried with random subdomains, being easier to match the possible queries like described here:
https://stackoverflow.com/questions/14096966/can-iptables-allow-dns-queries-only-for-a-certain-domain-name I think this is effective to prevent this attack right now if it's affecting the OP, it should not be used for long, just until the attack comes to a halt. It's important to use a LOG flag before, to know when the attack stops because the CPU hit can be heavy if the kernel table gets too inflated. On Tue, Apr 30, 2019 at 11:22 AM Brian Candler <b.cand...@pobox.com> wrote: > On 30/04/2019 14:57, Filipe Cifali wrote: > > Other than that you can put a DNS cache in front of the authoritative > > to hold off those aggressive queries and give it a nice slab of RAM. > > pdns has its own packetcache layer which works very well, but if every > query is a different <randomstring>.<yourdomain> then any cache would be > forced to pass the query through. > > There might be some ways to deal with this. e.g. if <randomstring> is > always more than a certain number of characters, dnsdist could filter > them out (whilst explicitly whitelisting any other valid names which > happen to be the same length) > > The trouble is, you do still want to return NXDOMAIN normally to regular > typos. > > -- [ ]'s Filipe Cifali Stangler
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
