Suggestions from older threads (Klaus Darrilon): - Put that zone in a more efficent Backend (he suggested lmdb) - Put that zone in a more efficent Software (he suggested nsd) and use dnsdist to route the traffic to the alternate Software Very old suggestion: - Use a firewall uint32 match to lock out queries to the attacked zone. Crazy idea: - enable DNSSec on that zone - setup pdns recursor or similar add delegate the zone to it - pdns-recursor should now be able to efficiently calculate the NXDOMAINs based on NSEC/NSEC3 information Cheers Am 16.07.21 um 11:33 schrieb David Porter via Pdns-users:
Hello, We have received a DDoS attack on our powerdns infrastructure. The DNS requests were all non-existing records in 1 single zone. Eg: ghz2.mydomain.com cdzx.mydomain.ocom hh3r.mydomain.com The result was that the SQL backend was overloaded with these queries and caused some of our servers not to respond to legitimate queries. See here an example from the SQL log: 2021-07-13T14:50:43.459635Z 3061 Reset stmt 2021-07-13T14:50:43.463172Z 3059 Execute SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='gzh1.mydomain.com' and domain_id=1280 2021-07-13T14:50:43.463989Z 3059 Reset stmt 2021-07-13T14:50:43.468001Z 3060 Execute SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='cdzx.mydomain.com' and domain_id=1280 2021-07-13T14:50:43.468822Z 3060 Reset stmt 2021-07-13T14:50:43.471102Z 3061 Execute SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='cvqi.mydomain.com' and domain_id=1280 2021-07-13T14:50:43.472178Z 3061 Reset stmt 2021-07-13T14:50:43.474985Z 3059 Execute SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='hh3r.mydomain.com' and domain_id=1280 2021-07-13T14:50:43.475371Z 3059 Reset stmt 2021-07-13T14:50:43.478971Z 3060 Execute SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='9jv9.mydomain.com' and domain_id=1280 2021-07-13T14:50:43.479399Z 3060 Reset stmt 2021-07-13T14:50:43.483063Z 3061 Execute SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='boxl.mydomain.com' and domain_id=1280 2021-07-13T14:50:43.483457Z 3061 Reset stmt The new zone cache feature is only caching the "domains" table, it's not caching the each record in the backend. Is there any way how we can ensure that powerdns is caching a complete zone in case we are encountering a random generated dns attack on our authorative DNS servers? Thank you, David _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
