[dnsdist] Suggestions for rules to block abusive traffic
Jacob Bunk Nielsen
jacob at bunknielsen.dk
Wed Jan 3 06:54:16 UTC 2024
Dan McCombs via dnsdist <dnsdist at mailman.powerdns.com> writes:
> We've had on and off attacks recently targeting legitimate domains delegated to our authoritative service flooding
> queries for random subdomains of varying length and characters/words. i.e. 12345.example.com, fred.example.com,
> abc178371jd.example.com, where example.com is a different domain we're authoritative for each attack.
That's usually called a pseudo random sub domain attack. It happens to
all of us.
> We have thousands of domains, so it doesn't seem reasonable to apply individual rate limits to them all, but if
> there is a straight forward way to do something like that I'd be happy to hear it. The source addresses are well
> known public resolvers that we shouldn't rate limit either.
dnsdist doesn't really know which queries belongs to which zones, so it
would be hard to implement a per domain rate limit.
> I'm wondering if there's any way to detect and apply a rule dynamically to respond to queries for one of these
> domains without affecting the source IP address entirely, and not require us to manually add a rule for each domain
> as it occurs.
Have you looked at https://dnsdist.org/guides/dynblocks.html ?
It can dynamically block clients misbehaving, where you define what it
means to be misbehaving.
Best regards,
Jacob
More information about the dnsdist
mailing list