[dnsdist] Suggestions for rules to block abusive traffic

[Dan McCombs]

Hi all,

I'm wondering if anyone has suggestions of reasonable ways to handle this
type of abusive traffic with dnsdist.

We've had on and off attacks recently targeting legitimate domains
delegated to our authoritative service flooding queries for random
subdomains of varying length and characters/words. i.e. 12345.example.com,
fred.example.com, abc178371jd.example.com, where example.com is a
different domain we're authoritative for each attack.

The dnsdist nodes can handle the traffic, but breaking cache and going
through to our backends is having more of an impact.

We have thousands of domains, so it doesn't seem reasonable to apply
individual rate limits to them all, but if there is a straight forward way
to do something like that I'd be happy to hear it. The source addresses are
well known public resolvers that we shouldn't rate limit either.

I'm wondering if there's any way to detect and apply a rule dynamically to
respond to queries for one of these domains without affecting the source IP
address entirely, and not require us to manually add a rule for each domain
as it occurs.

Any ideas would be appreciated.

Take care,

-Dan


Dan McCombs
Senior Engineer I - DNS
dmccombs at digitalocean.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231229/07e7ccdb/attachment.htm>