Steffan via Pdns-users <pdns-users@mailman.powerdns.com> writes: > Well the problem was a small attack targeting a lot of subdomains of a client. > > Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 117.54.16.252 wants > 'payments.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS > Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a02:2f0e:5fff:ffff::2 wants > 'skyline.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS > Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a04:c602:409:fe::27 wants > 'app3.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS
This is know as a pseudo random subdomain attack, often abbreviated PRSD. > I forgot on that time that I had logging on. So it could be that without the > logging the dns would be fast enough to handle it Turning off logging will definitely help. The standard approach for users of PowerDNS software to address DNS based attacks is to install dnsdist at put that in front of PowerDNS. Using dnsdist you can inspect queries that are coming, create query rate limits and specific mitigation rules in case of an attack. Another approach often used by larger installations is to utilize anycast to have multiple servers announcing the same DNS server IPs from multiple geographical locations. This is how e.g. 1.1.1.1 and 8.8.8.8 works. Best regards, Jacob _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
