Hello Klaus,
Am 4. Mai 2019 23:37:40 MESZ schrieb Klaus Darilion
:
>I though about loading the bind Backend and semi-automated export the
>"attacke" zone (and all subzones) from the SQL backend to the bind
>backend. Then, patch PDNS to not check all backends for the best zone
>match (getSOA()
Hi Bart!
Am 30.04.2019 um 16:31 schrieb power...@bart.bim.be:
In the normal case, suppressing responses may be a good thing to do,
if the actual problem is that the DNS responses are part of a DoS
attack (i.e. the DNS queries came in with spoofed source addresses).
The responses cause your I
Hi Brian!
Am 30.04.2019 um 15:37 schrieb Brian Candler:
On 29/04/2019 22:14, Klaus Darilion wrote:
Can you give an example how those dynblockrules can be used to filter
above "attack"? The main problem with rate-limiting NXDOMAIN is, that
you need to ask the authoritative to get a response and
In the normal case, suppressing responses may be a good thing to do,
if the actual problem is that the DNS responses are part of a DoS
attack (i.e. the DNS queries came in with spoofed source addresses).
The responses cause your IP reputation to suffer - and burn outbound
bandwidth.
If th
The OP mentions it's only one "domain" being queried with random
subdomains, being easier to match the possible queries like described here:
https://stackoverflow.com/questions/14096966/can-iptables-allow-dns-queries-only-for-a-certain-domain-name
I think this is effective to prevent this attack
On 30/04/2019 14:57, Filipe Cifali wrote:
Other than that you can put a DNS cache in front of the authoritative
to hold off those aggressive queries and give it a nice slab of RAM.
pdns has its own packetcache layer which works very well, but if every
query is a different . then any cache woul
This is probably from 1 source only but spoofing the source address, one
pattern of attacking DNSs that was common some years ago (2013/2014 hits my
memory more on this) was to fake query origin making the DNS server thing
there was tons of different IPs querying the server and in reality was only
On 29/04/2019 22:14, Klaus Darilion wrote:
Can you give an example how those dynblockrules can be used to filter
above "attack"? The main problem with rate-limiting NXDOMAIN is, that
you need to ask the authoritative to get a response and check if it is
NXDOMAIN. Then, dropping the response is
Hi Nico!
Am 26.04.2019 um 15:05 schrieb Nico CARTRON:
Hi Markus,
On 26-Apr-2019 14:55 CEST, wrote:
Hello together,
since recently we use two powerDNS Authoritative Servers (v.4.1.8) for
managing our own domains. Is it possible, to rate-limit dns lookups for
non-existing Domains?
Background:
Hi Markus,
On 26-Apr-2019 14:55 CEST, wrote:
> Hello together,
>
> since recently we use two powerDNS Authoritative Servers (v.4.1.8) for
> managing our own domains. Is it possible, to rate-limit dns lookups for
> non-existing Domains?
> Background: from time to time (several times a day), we g
10 matches
Mail list logo
