<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hi Remi,</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Thanks for the awesome example. </div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
In your example, 80% of Servfail answers over the last 60s, with a minimum of 10 answers will trigger fallback on TCP.</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Can you explain the "minimum of 10 answers during that time to reduce the risk of false-positive" part? Does it mean a minimum of 10 queries within that window, should be SERVFAIL?</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
The dynamic rule can also use DNSAction.Pool instead of DNSAction.Truncate. How do I make use of the Pool? This way I could redirect them to a separate server.</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Thanks for your help,</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
AH</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> dnsdist <dnsdist-bounces@mailman.powerdns.com> on behalf of Remi Gacogne via dnsdist <dnsdist@mailman.powerdns.com><br>
<b>Sent:</b> Monday, April 4, 2022 10:30 AM<br>
<b>To:</b> dnsdist@mailman.powerdns.com <dnsdist@mailman.powerdns.com><br>
<b>Subject:</b> Re: [dnsdist] [EXT] Re: How to best handle DNS floods</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi,<br>
<br>
On 03/04/2022 10:42, me aharen wrote:<br>
> Thanks for the input. Yes, we have legit customers participating in the <br>
> PRSD floods.<br>
<br>
Understood.<br>
<br>
> Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you <br>
> share a sample config of this rule?<br>
<br>
I cannot find any example in the documentation, which I really should <br>
fix, but we have a small example in our regression tests:<br>
<br>
<a href="https://github.com/PowerDNS/pdns/blob/790f18878013eda17abb3fd5b0bc03cb87554c79/regression-tests.dnsdist/test_DynBlocks.py#L942">https://github.com/PowerDNS/pdns/blob/790f18878013eda17abb3fd5b0bc03cb87554c79/regression-tests.dnsdist/test_DynBlocks.py#L942</a><br>
<br>
Basically to block for 120s any client that had say, more than 80% of <br>
Servfail answers over the last 60s, with a minimum of 10 answers during <br>
that time to reduce the risk of false positive, you would do:<br>
<br>
local dbr = dynBlockRulesGroup()<br>
dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio", <br>
120, 10)<br>
<br>
function maintenance()<br>
dbr:apply()<br>
end<br>
<br>
If you wanted to tell these clients to try again over TCP instead:<br>
<br>
local dbr = dynBlockRulesGroup()<br>
dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio", <br>
120, 10, DNSAction.Truncate)<br>
<br>
function maintenance()<br>
dbr:apply()<br>
end<br>
<br>
> Regarding the professional service, whom should I contact to get pricing <br>
> details?<br>
<br>
The easiest option is likely to go to <br>
<a href="https://www.open-xchange.com/products/dnsdist/?hsLang=en">https://www.open-xchange.com/products/dnsdist/?hsLang=en</a> and click
<br>
"Contact OX", and someone from our team should get back to you quickly.<br>
<br>
Best regards,<br>
-- <br>
Remi Gacogne<br>
PowerDNS.COM BV - <a href="https://www.powerdns.com/">https://www.powerdns.com/</a><br>
</div>
</span></font></div>
</body>
</html>