Re: [Pdns-users] Rate-Limit for NXDOMAIN

Sat, 04 May 2019 14:38:07 -0700 

Hi Bart!

Am 30.04.2019 um 16:31 schrieb power...@bart.bim.be:



In the normal case, suppressing responses may be a good thing to do, 
if the actual problem is that the DNS responses are part of a DoS 
attack (i.e. the DNS queries came in with spoofed source addresses). 
The responses cause your IP reputation to suffer - and burn outbound 
bandwidth.




If the attack is being carried out via a valid recursor DNS, then not 
responding at all, will cause the recursor to try all your nameservers 
before giving up. This multiplies the incoming traffic you would 
normally receive on one server, times the number of visible nameservers 
you have. Unless you're sure traffic doesn't come in via a recursor, 
then it's probably better to respond.




Are you using PowerDNS with a MySQL backend? In that case, the fact that 
every single request needs to be checked in the database is your 
bottleneck. If you can prevent this from happening, then you'll notice 
that your server is capable of responding to a much larger amount of 
requests without much of a hassle.



Changing the backend could be an option.



I though about loading the bind Backend and semi-automated export the 
"attacke" zone (and all subzones) from the SQL backend to the bind 
backend. Then, patch PDNS to not check all backends for the best zone 
match (getSOA() lookups) but stop if a zone is found in the first 
backend. The bind backend should be easily cope with such traffic patterns.



Or, as was earlier pointed out, by setting up dnsdist with rules that 
would whitelist all existing records and make it respond with NXDOMAIN 
to all non-existing records.


Wildcards in the zone may prevent above trick.


If the "random" request do show some sort of pattern which could enable 
you to create a regular expression to find them, then this would be a 
simple solution. Let's say that the random requests most often contain a 
number while your real subdomains never have a number:


addAction(RegexRule("[a-z]*[0-9]+[a-z]*\\.example.org$"), RCodeAction(3))



Indeed, that may work with and may reduce the number if needed whitelist 
entries.



With more complicated regular expressions, you can achieve more. And if 
this only blocks 90% of them without having to look them up in the DB, 
then at least you're already doing that.


True.

Klaus

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to