[dnsdist] Suggestions for rules to block abusive traffic

Klaus Darilion klaus.darilion at nic.at
Mon Jan 8 13:31:00 UTC 2024 

Hi Dan!

This is a known issue and we have not found a simple solution in dnsdist. And obviously it is only a problem if the backend is slow. In our case we are affected as we use Pdns + DB backend as backend.

  1.  Use a fast name server as additional backend (we used NSD) and dynamically provision targeted zones (and all subzones) on the faster backend and redirect the zone to the fast backend (dnsdist rule). Out detection is based on “dsc” statistics collector.
  2.  Use a fast nameserver instead of dnsdist + slow backend (we use Knot for customers that are constantly under attack)

These two methods helped us, but of course add additional operations work to implement and operate it.

If you find a simple dnsdist based solution to filter these random queries I would be interested too ;-)

Regards
Klaus

Von: dnsdist <dnsdist-bounces at mailman.powerdns.com> Im Auftrag von Dan McCombs via dnsdist
Gesendet: Freitag, 29. Dezember 2023 20:11
An: dnsdist at mailman.powerdns.com
Betreff: [dnsdist] Suggestions for rules to block abusive traffic

Hi all,

I'm wondering if anyone has suggestions of reasonable ways to handle this type of abusive traffic with dnsdist.

We've had on and off attacks recently targeting legitimate domains delegated to our authoritative service flooding queries for random subdomains of varying length and characters/words. i.e. 12345.example.com<http://12345.example.com>, fred.example.com<http://fred.example.com>, abc178371jd.example.com<http://abc178371jd.example.com>, where example.com<http://example.com> is a different domain we're authoritative for each attack.

The dnsdist nodes can handle the traffic, but breaking cache and going through to our backends is having more of an impact.

We have thousands of domains, so it doesn't seem reasonable to apply individual rate limits to them all, but if there is a straight forward way to do something like that I'd be happy to hear it. The source addresses are well known public resolvers that we shouldn't rate limit either.

I'm wondering if there's any way to detect and apply a rule dynamically to respond to queries for one of these domains without affecting the source IP address entirely, and not require us to manually add a rule for each domain as it occurs.

Any ideas would be appreciated.

Take care,

-Dan

[https://digitaloceanspace.nyc3.digitaloceanspaces.com/do-sig_files/do-email_signature.png]

Dan McCombs
Senior Engineer I - DNS
dmccombs at digitalocean.com<mailto:dmccombs at digitalocean.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240108/ad16fa31/attachment-0001.htm>

More information about the dnsdist mailing list