[dnsdist] Suggestions for rules to block abusive traffic

Mon Jan 8 16:28:17 UTC 2024

Hi Klaus!

>  In our case we are affected as we use Pdns + DB backend as backend.

Yep, that's exactly our case as well - our legacy Pdns + mysql backends
don't handle this very well. Longer term we intend to move away from that,
but finding some improvements in the meantime for handling these floods
would be helpful. I'll let you know if we come up with anything interesting!

-Dan

Dan McCombs
Senior Engineer I - DNS
dmccombs at digitalocean.com

On Mon, Jan 8, 2024 at 8:31 AM Klaus Darilion <klaus.darilion at nic.at> wrote:

> Hi Dan!
>
>
>
> This is a known issue and we have not found a simple solution in dnsdist.
> And obviously it is only a problem if the backend is slow. In our case we
> are affected as we use Pdns + DB backend as backend.
>
>    1. Use a fast name server as additional backend (we used NSD) and
>    dynamically provision targeted zones (and all subzones) on the faster
>    backend and redirect the zone to the fast backend (dnsdist rule). Out
>    detection is based on “dsc” statistics collector.
>    2. Use a fast nameserver instead of dnsdist + slow backend (we use
>    Knot for customers that are constantly under attack)
>
>
>
> These two methods helped us, but of course add additional operations work
> to implement and operate it.
>
>
>
> If you find a simple dnsdist based solution to filter these random queries
> I would be interested too ;-)
>
>
>
> Regards
>
> Klaus
>
>
>
> *Von:* dnsdist <dnsdist-bounces at mailman.powerdns.com> * Im Auftrag von *Dan
> McCombs via dnsdist
> *Gesendet:* Freitag, 29. Dezember 2023 20:11
> *An:* dnsdist at mailman.powerdns.com
> *Betreff:* [dnsdist] Suggestions for rules to block abusive traffic
>
>
>
> Hi all,
>
> I'm wondering if anyone has suggestions of reasonable ways to handle this
> type of abusive traffic with dnsdist.
>
> We've had on and off attacks recently targeting legitimate domains
> delegated to our authoritative service flooding queries for random
> subdomains of varying length and characters/words. i.e. 12345.example.com,
> fred.example.com, abc178371jd.example.com, where example.com is a
> different domain we're authoritative for each attack.
>
> The dnsdist nodes can handle the traffic, but breaking cache and going
> through to our backends is having more of an impact.
>
>
>
> We have thousands of domains, so it doesn't seem reasonable to apply
> individual rate limits to them all, but if there is a straight forward way
> to do something like that I'd be happy to hear it. The source addresses are
> well known public resolvers that we shouldn't rate limit either.
>
> I'm wondering if there's any way to detect and apply a rule dynamically to
> respond to queries for one of these domains without affecting the source IP
> address entirely, and not require us to manually add a rule for each domain
> as it occurs.
>
> Any ideas would be appreciated.
>
> Take care,
>
> -Dan
>
>
>
> * Dan McCombs*
>
> Senior Engineer I - DNS
>
> dmccombs at digitalocean.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240108/0ab017a6/attachment.htm>