Hello Steffan,
that kind of attack is quite common these days. I would recommend
putting your authoriative nameservers behind dnsdist. Dnsdist acts as a
DNS firewall, proxy and loadbalancer.
We're running some rulesets on dnsdist, that e.g. dynamically block IPs
that "produce" unusual high numbers of NXDOMAIN answers with their
queries (which is usually the case with IPs taking part in PRSD
attacks). You can also limit the number of queries per IP or loadbalance
queries to more than one backend DNS node. dnsdist is extreme powerfull
and versatile and the perfect tool to protect your DNS nodes.
To be able to see, which domains are actually attacked, you should not
use pdns query logging - it has a big performance impact which makes the
situation even worse during an attack. Better use some traffic
capturing/sampling tools like pktvisor. It feeds data about the dns
queries to prometheus, which can be visualized with grafana. You can use
that same setup (prometheus & grafana) to monitor your dndist and pdns
installations.
Am 20.10.2023 um 15:52 schrieb Steffan via Pdns-users:
Well the problem was a small attack targeting a lot of subdomains of a client.
Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 117.54.16.252 wants
'payments.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a02:2f0e:5fff:ffff::2 wants
'skyline.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a04:c602:409:fe::27 wants
'app3.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS
I comes from many different ips and only 3 minutes 150mb/s
I forgot on that time that I had logging on. So it could be that without the
logging the dns would be fast enough to handle it
Average bandwith load is abouth 160k/s so no big deal.
Met vriendelijke groet,
Steffan Noord
-----Oorspronkelijk bericht-----
Van: Victor Hugo dos Santos <listas....@gmail.com>
Verzonden: vrijdag 20 oktober 2023 15:45
Aan: All about using and deploying powerdns <pdns-users@mailman.powerdns.com>
CC: steffanno...@gmail.com
Onderwerp: Re: [Pdns-users] multi dns server
Hello there,
The quantity of the domain, not necessarily reflect the quantity of
queries/load.
you can have 5.000 domains with 1.000 QPS or you can have 1 domain with 15.000
QPS !! :-)
Anyway, you should monitor your servers and see if this issue is some kind of
"normal" stuff or some kind of problem (attack, data leak, misconfiguration,
etc). When you detect the problem, then you can decide what to do.
About NS3, NS4, it is a totally valid option, not only to balance the queries
between servers, but to improve your HA too !!! Nevertheless, you still need to
detect where the problem is, if not, you are only going to spend time with the
new NS server but the problem will still occur.
Let us know what you find.
Good luck
On Fri, 20 Oct 2023 at 12:01, Steffan via Pdns-users
<pdns-users@mailman.powerdns.com> wrote:
Hello,
2 days ago my 2 dns servers has 150mbit of data to process and the dns went
down.
After the flood was stopped it came up again.
Im using pdns 4.8.3 on centos with mysql backends
I just wondering what will the best idee to spread the risk
It is handling about 5000 domains so not a very big system.
is it better to use a ns3, ns4 to spread the loads on multi servers Or
some kind of load balancing or multi ip setup on ns1 and ns2 on multi
servers
Any other idees are welcome
With regard
Steffan
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
--
--
Victor Hugo dos Santos
http://www.vhsantos.net
Linux Counter #224399
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
