[dnsdist] Exclude domains with dynBlockRulesGroup ?

Denis MACHARD d.machard at gmail.com
Sun Jul 16 08:11:38 UTC 2023 

 Hi Remi,

Thanks for the quick feedback, it's really appreciated.

My first idea was to exclude domains when setQTypeRate matched,
Your explanation is clear, I cannot.

Here is my alternative to do that.

           -- list of client ip to block during 60s
blacklistedIPs=TimedIPSetRule()
addAction(blacklistedIPs:slice(), RCodeAction(DNSRCode.REFUSED))

local function blacklistIP(dq)
        blacklistedIPs:add(dq.remoteaddr, 60)
        return DNSAction.Refused
end

-- list of trusted domains where the rate limiting is not applied
trusted_domains = newSuffixMatchNode()
trusted_domains:add(newDNSName("google.fr."))

-- Rate limiting for TXT and CNAME qtypes only
addAction(AndRule({ MaxQPSIPRule(5, 32, 64, 5),
OrRule({QTypeRule(DNSQType.TXT), QTypeRule(DNSQType.CNAME))}),
NotRule(SuffixMatchNodeRule(trusted_domains, true)) }),
SetTagAction('dynamic_block', 'match'))
addAction(TagRule('dynamic_block'), DnstapLogAction("dynamic_block", fstl))
addAction(TagRule('dynamic_block'), LuaAction(blacklistIP))

regards,
denis

On Wed, Jul 12, 2023 at 1:16 PM Remi Gacogne via dnsdist <
dnsdist at mailman.powerdns.com> wrote:

> Hi Denis,
>
> On 12/07/2023 12:24, Denis MACHARD via dnsdist wrote:
> > How to exclude some domains with the dynamic block feature
> > (dynBlockRulesGroup),
> > Is it possible ? The documentation is not clear on this, if anyone has
> > an example.
>
> We should document this more clearly, there are two types of rules in a
> DBRG:
>
> - setQueryRate, setRCodeRate, setRCodeRatio, setQTypeRate and
> setResponseByteRate work by looking at the queries and responses present
> in the ring buffers grouped by client IP, so they can decide to apply an
> action on a given IP. Therefore the excludeRange, includeRange
> directives apply to these rules to allowlist and denylist some IPs/ranges.
>
> - setSuffixMatchRule and setSuffixMatchRuleFFI work by looking at the
> responses present in the ring buffers grouped by subdomains, so they can
> decide to apply an action on a given domain or subdomain. Therefore the
> excludeDomains directive apply to these rules to prevent a domain and
> its children from being blocked.
>
> So you cannot exclude an IP or a range from
> setSuffixMatchRule/setSuffixMatchRuleFFI, and neither can you exclude a
> domain from the other rules.
>
> I hope that helps!
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20230716/1adf86d7/attachment.htm>

More information about the dnsdist mailing list