<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0cm;
        margin-right:0cm;
        margin-bottom:0cm;
        margin-left:36.0pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.E-MailFormatvorlage18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:357316;
        mso-list-type:hybrid;
        mso-list-template-ids:-1000711912 -1186579192 67567619 67567621 67567617 67567619 67567621 67567617 67567619 67567621;}
@list l0:level1
        {mso-level-start-at:0;
        mso-level-number-format:bullet;
        mso-level-text:-;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-font-family:Calibri;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Symbol;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:"Courier New";}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;
        font-family:Wingdings;}
@list l1
        {mso-list-id:1868908855;
        mso-list-type:hybrid;
        mso-list-template-ids:1193733048 67567639 67567641 67567643 67567631 67567641 67567643 67567631 67567641 67567643;}
@list l1:level1
        {mso-level-number-format:alpha-lower;
        mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-18.0pt;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0cm;}
ul
        {margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="DE-AT" style="mso-fareast-language:EN-US">Hi Dan!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE-AT" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">This is a known issue and we have not found a simple solution in dnsdist. And obviously it is only a problem if the backend is slow. In our case we are affected as we use Pdns + DB backend
 as backend.<o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo2"><span lang="EN-US" style="mso-fareast-language:EN-US">Use a fast name server as additional backend (we used NSD) and dynamically provision targeted zones (and all subzones) on the
 faster backend and redirect the zone to the fast backend (dnsdist rule). Out detection is based on “dsc” statistics collector.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo2"><span lang="EN-US" style="mso-fareast-language:EN-US">Use a fast nameserver instead of dnsdist + slow backend (we use Knot for customers that are constantly under attack)<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">These two methods helped us, but of course add additional operations work to implement and operate it.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">If you find a simple dnsdist based solution to filter these random queries I would be interested too ;-)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Klaus<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>Von:</b> dnsdist <dnsdist-bounces@mailman.powerdns.com> <b>
Im Auftrag von </b>Dan McCombs via dnsdist<br>
<b>Gesendet:</b> Freitag, 29. Dezember 2023 20:11<br>
<b>An:</b> dnsdist@mailman.powerdns.com<br>
<b>Betreff:</b> [dnsdist] Suggestions for rules to block abusive traffic<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi all,<br>
<br>
I'm wondering if anyone has suggestions of reasonable ways to handle this type of abusive traffic with dnsdist.<br>
<br>
We've had on and off attacks recently targeting legitimate domains delegated to our authoritative service flooding queries for random subdomains of varying length and characters/words. i.e.
<a href="http://12345.example.com">12345.example.com</a>, <a href="http://fred.example.com">
fred.example.com</a>, <a href="http://abc178371jd.example.com">abc178371jd.example.com</a>, where
<a href="http://example.com">example.com</a> is a different domain we're authoritative for each attack.<br>
<br>
The dnsdist nodes can handle the traffic, but breaking cache and going through to our backends is having more of an impact.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We have thousands of domains, so it doesn't seem reasonable to apply individual rate limits to them all, but if there is a straight forward way to do something like that I'd be happy to hear it. The source addresses are well known public
 resolvers that we shouldn't rate limit either.<br>
<br>
I'm wondering if there's any way to detect and apply a rule dynamically to respond to queries for one of these domains without affecting the source IP address entirely, and not require us to manually add a rule for each domain as it occurs.<br>
<br>
Any ideas would be appreciated.<br>
<br>
Take care,<br>
<br>
-Dan<br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<table class="MsoNormalTable" border="0" cellpadding="0" width="100%" style="width:100.0%">
<tbody>
<tr>
<td valign="top" style="padding:.75pt 9.0pt .75pt .75pt">
<p class="MsoNormal" style="line-height:16.5pt"><span style="font-size:11.5pt;font-family:"Helvetica",sans-serif"><br>
</span><span style="font-size:11.5pt;font-family:"Helvetica",sans-serif"><img border="0" width="110" height="109" style="width:1.1458in;height:1.1354in" id="_x0000_i1025" src="https://digitaloceanspace.nyc3.digitaloceanspaces.com/do-sig_files/do-email_signature.png"></span><span style="font-size:11.5pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<div style="margin-top:3.0pt">
<p class="MsoNormal" style="line-height:16.5pt"><b><span style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#222222"><br>
Dan McCombs<o:p></o:p></span></b></p>
</div>
<div style="margin-bottom:9.0pt">
<p class="MsoNormal" style="line-height:16.5pt"><span style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#222222">Senior Engineer I - DNS<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="line-height:16.5pt"><span style="font-size:11.5pt;font-family:"Helvetica",sans-serif"><a href="mailto:dmccombs@digitalocean.com" target="_blank"><span style="font-size:10.5pt">dmccombs@digitalocean.com</span></a><o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>