On Mon, Jun 03, 2024 at 11:23:59AM +0000, Kilian Ries via Pdns-users wrote:
> Hi, > > > i think you may have all heared about DNSBomb attacks: > > > https://www.isc.org/blogs/2024-dnsbomb/ > > > Are there any recommended settings for auth or dnsdist for mitigation such > attacks? > > > Thanks > > Regards, > > Kilian Hi, The DNSBomb attack uses specially crafted auths to trigger a aggregation mechanism in resolvers (in pdns recursor that is called "chaining") to send their accumulated answers in a very short time, resulting in a traffic spike from the resolver that might impact clients. In PowerDNS Recursor, the natural limit of aggregation is mex-mthreads, so there's already a limit in place. The relative short time (compared to other resolvers) a client request may take and the time we are willing to wait for an auth's answer also plays a role to furter mitigate DNSBomb. When using dnsdist before a recursor, you could apply client rate limiting to further protect against this and similar attacks. Some will argue that you should already have that in place, esepcially if you run a public resolver. Auths are not subjected to this attack, other than that specially crafted aiuths are used to perform the attack. The upcoming Recursor 5.1.0, wil have some further improvements to handle auths that are slow to answer in an improved way. This was developed while studying th impact of DNSBomb on PowerDNS Recursor. -Otto _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
