<div dir="ltr">Would this do the trick:<div><br></div><div> addAction( RegexRule( "\\.shopify\\.sh\\.cn$" ), DropAction() )</div><div><br></div><div>?</div><div><br></div><div>I'm assuming that you don't actually have any legit queries for that subdomain, which might not be the case (and thus disrupt users' legit queries).</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 31, 2022 at 2:00 AM me aharen via dnsdist <<a href="mailto:dnsdist@mailman.powerdns.com">dnsdist@mailman.powerdns.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">




<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hello there,</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
I am in a situation where my dnsdist server is being flooding with random DNS quieies like seen below:</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<a href="http://zvbi2raw.shopify.sh.cn" target="_blank">zvbi2raw.shopify.sh.cn</a>.
<div><a href="http://zuqiuzhibonow.shopify.sh.cn" target="_blank">zuqiuzhibonow.shopify.sh.cn</a>. </div>
<div><a href="http://zypb-pjqr.shopify.sh.cn" target="_blank">zypb-pjqr.shopify.sh.cn</a>.</div>
<div><a href="http://zuul-data.shopify.sh.cn" target="_blank">zuul-data.shopify.sh.cn</a>.</div>
<div><a href="http://zwingscloud.shopify.sh.cn" target="_blank">zwingscloud.shopify.sh.cn</a>.</div>
<div><a href="http://zuqiuzhoukan00.shopify.sh.cn" target="_blank">zuqiuzhoukan00.shopify.sh.cn</a>.</div>
<div><a href="http://zysd.shopify.sh.cn" target="_blank">zysd.shopify.sh.cn</a>.</div>
<div><a href="http://zzmtwvncx.shopify.sh.cn" target="_blank">zzmtwvncx.shopify.sh.cn</a>. </div>
<span><a href="http://zvit.shopify.sh.cn" target="_blank">zvit.shopify.sh.cn</a>.</span><br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span>These floods generate large SERVFAIL responses and would like to minimize or best handle this.</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span>On the cache config, I have enabled temporaryFailureTTL to 3600 and staleTTL to 3600.</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span>And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), DropAction())" - although I am uncertain if this works as I think it would.</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span>I do have another QPS rule, "addAction(MaxQPSIPRule(50), PoolAction("abuse"))", to redirect the flooders.</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span>The only thing I can't do is apply any delay or drop action which would disrupt the user's legit queries. </span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span>Using Dynamic Rule is interesting, but it blocks queries once the "exceedServFails" exceeds, blocks legit queries for /32 - which is disruptive.</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="font-family:Calibri,Helvetica,sans-serif;font-size:16px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400"><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="font-family:Calibri,Helvetica,sans-serif;font-size:16px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400">Any pointers? </span><span><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="font-family:Calibri,Helvetica,sans-serif;font-size:16px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400"><br>
</span></div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Thanks,</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
AH</div>
</div>

_______________________________________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
</blockquote></div>