In the normal case, suppressing responses may be a good thing to do,
if the actual problem is that the DNS responses are part of a DoS
attack (i.e. the DNS queries came in with spoofed source addresses).
The responses cause your IP reputation to suffer - and burn outbound
bandwidth.
If the attack is being carried out via a valid recursor DNS, then not
responding at all, will cause the recursor to try all your nameservers
before giving up. This multiplies the incoming traffic you would
normally receive on one server, times the number of visible nameservers
you have. Unless you're sure traffic doesn't come in via a recursor,
then it's probably better to respond.
Are you using PowerDNS with a MySQL backend? In that case, the fact that
every single request needs to be checked in the database is your
bottleneck. If you can prevent this from happening, then you'll notice
that your server is capable of responding to a much larger amount of
requests without much of a hassle.
Changing the backend could be an option.
Or, as was earlier pointed out, by setting up dnsdist with rules that
would whitelist all existing records and make it respond with NXDOMAIN
to all non-existing records.
If the "random" request do show some sort of pattern which could enable
you to create a regular expression to find them, then this would be a
simple solution. Let's say that the random requests most often contain a
number while your real subdomains never have a number:
addAction(RegexRule("[a-z]*[0-9]+[a-z]*\\.example.org$"), RCodeAction(3))
With more complicated regular expressions, you can achieve more. And if
this only blocks 90% of them without having to look them up in the DB,
then at least you're already doing that.
Sincerely,
Bart Mortelmans
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
