<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Eric,</p>
<p>We are using following DOS protection configuration on dnsdist.
We are using it for our DNS resolvers, but you can change it as
per your requirement for authoritative servers.</p>
<p>This is a dynamic blocklist where we are protecting against very
high QPS from specific clients, or high rate for specific query
types (like ANY). You can also exclude certain IPs/networks from
this blocklist.</p>
<p><br>
</p>
<p>-- Generate a warning if we detect a query rate above 100 qps for
at least 20s.<br>
-- If the query rate raises above 300 qps for 20s, we'll block the
client for 60s.<br>
-- If the NXD query rate increase above 20 for 20s block for 60s<br>
-- If the ANY query rate increase above 20 for 20s block for 60s</p>
<p>local dbr = dynBlockRulesGroup()<br>
<a class="moz-txt-link-freetext" href="dbr:setQueryRate(300">dbr:setQueryRate(300</a>, 20, "Exceeded query rate", 60,
DNSAction.Drop, 100)<br>
<a class="moz-txt-link-freetext" href="dbr:setRCodeRate(DNSRCode.NXDOMAIN">dbr:setRCodeRate(DNSRCode.NXDOMAIN</a>, 20, 20, "Exceeded NXD rate",
60)<br>
<a class="moz-txt-link-freetext" href="dbr:setRCodeRate(DNSRCode.SERVFAIL">dbr:setRCodeRate(DNSRCode.SERVFAIL</a>, 20, 20, "Exceeded ServFail
rate", 60)<br>
<a class="moz-txt-link-freetext" href="dbr:setQTypeRate(DNSQType.ANY">dbr:setQTypeRate(DNSQType.ANY</a>, 20, 20, "Exceeded ANY rate", 60)<br>
<a class="moz-txt-link-freetext" href="dbr:excludeRange(">dbr:excludeRange(</a>{"192.168.48.0/24", "192.168.188.0/24"})<br>
<br>
function maintenance()<br>
<a class="moz-txt-link-freetext" href="dbr:apply()">dbr:apply()</a><br>
end<br>
<br>
</p>
<div class="moz-signature">Regards<br>
<b>Jahanzeb Arshad</b><br>
<br>
</div>
<div class="moz-cite-prefix">On 28/11/23 21:15, Eric Merkel via
dnsdist wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFNXqfznv053JYs85EfuHjYtk5Lpqssw47cqAOq8eKDKP_R_hQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello all,
<div><br>
</div>
<div>I am a dnsdist noob here seeking some advice. I have set up
and am testing dnsdist in the following configuration.</div>
<div><br>
</div>
<div>4 geographically diverse dnsdist servers load balancing 4
authoritative backend servers for around 30,000 domains/zones.</div>
<div><br>
</div>
<div>I understand how to set up an Abuse pool to handle clients
that reach a certain number of QPS. What I am looking for are
some other example configurations or best practices to help
deal with DOS attacks that other users have experienced in
the past.</div>
<div><br>
</div>
<div>My goal is to put some basic safeguards in place before we
experience an attack rather than scrambling to figure out
something quickly while an attack is occurring.</div>
<div><br>
</div>
<div>Any advice or sample configurations etc would be much
appreciated!</div>
<div><br>
</div>
<div>Best regards,</div>
<div>Eric</div>
<div><br>
</div>
<div>
<div><br>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
dnsdist mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dnsdist@mailman.powerdns.com">dnsdist@mailman.powerdns.com</a>
<a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/dnsdist">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a>
</pre>
</blockquote>
</body>
</html>