<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:HelveticaNeue;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Avenir Next";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:AvenirNext-Regular;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Futura;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.E-mailStijl21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NL link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Hello Frank,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Well. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>I have (i think) a small network this was my first attack in 24 years<br>Yesterday I found that one domain was hit a lot so I blocked that one and after that spoofed it.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>But that was when nawas already was running.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>LMDB </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>was something that I didn’t hear of.<br>All entrys comes from a central mariadb that is connected with my client portal so I have to look in to that how that works.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>I started after the first attack to use pools so I can find out what ip was attacked.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>Here is my config below only vip1 but I have multiple ips setup <br>this gives me on the webinterface the output to see what ip is hit.<br>But I think that with this setup I have to add for the other pdns servers all new lines like<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>newServer({address="ip2:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>newServer({address="ip3:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>====================<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dns_vip1 = newNMG()<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dns_vip1:addMask('46.182.xxx.xxx/32')<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dns_vip1b = newNMG()<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dns_vip1b:addMask('2a00:1bd0:xxxx')<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ip6-xxx" })<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>cache1 = newPacketCache(50000, { keepStaleData=true, maxTTL=86400,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>minTTL=0, numberOfShards=4, maxNegativeTTL=600, staleTTL=180 })<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>getPool("ipv4-xxxx"):setCache(cache1)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>getPool("ip6-xxx"):setCache(cache1)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR), OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update)}), RCodeAction(DNSRCode.REFUSED))<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>local dbr = dynBlockRulesGroup()<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>--- Create a dynamic block rule for overall queries/second allowed<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dbr:setQueryRate(<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- The number of queries/second to rate limit at<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 150,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Set the measurement period over the last 10 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 10,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Log the action to syslog<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> "Exceeded query rate limit",<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Add the block for 120 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 120<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>--- Create a dynamic block rule to block queries that have resulted in a NXDOMAIN response<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dbr:setRCodeRate(<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Match the NXDOMAIN response<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> DNSRCode.NXDOMAIN,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- The number of queries/second to rate limit at<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 75,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Set the measurement period over the last 10 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 10,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Log the action to syslog<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> "Exceeded NXD response rate",<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Add the block for 120 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 120<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>--- Create a dynamic block rule to block inbound queries/second from hosts of the ANY type<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>dbr:setQTypeRate(<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Match the ANY query type<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> DNSQType.ANY,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- The number of queries/second to rate limit at<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 50,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Set the measurement period over the last 10 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Set the measurement period over the last 10 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 10,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Log the action to syslog<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> "Exceeded ANY rate",<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> ---- Add the block for 120 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> 120<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>-- https://dnsdist.org/rules-actions.html<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>-- slow down if more then 50 from one ip<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>addAction(MaxQPSIPRule(20, 32, 48), DelayAction(100))<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>-- https://powerdns.org/dnsdist-md/dnsdist-diagrams.md.html<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>getPool(""):setCache(pc)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>setStaleCacheEntriesTTL(3600)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>-- Limit /24's on IPv4 and /64's on IPv6 to 5 QPS<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>addAction(MaxQPSIPRule(4, 32, 48), DropAction())<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>function maintenance()<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> -- Get the addresses that had more than 20 NXDOMAINs in the last 10 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> addresses = exceedNXDOMAINS(10, 20)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> -- Block the addresses for a minute<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'> addDynBlocks(addresses, "Exceeded NXDomain", 60)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>end<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>addAction(NetmaskGroupRule(dns_vip1, false), PoolAction('ipv4-xxx'))<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>addAction(NetmaskGroupRule(dns_vip1b, false), PoolAction('ip6-xxx'))<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>for <o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Van:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Frank @ Kiwazo <frank@kiwazo.com> <br><b>Verzonden:</b> donderdag 27 februari 2025 11:35<br><b>Aan:</b> mailinglist@tikklik.nl<br><b>CC:</b> dnsdist mailing list <dnsdist@mailman.powerdns.com><br><b>Onderwerp:</b> Re: [dnsdist] advice needed<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal>Hi Steffan,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>[NL]Geen probleem, we verstaan je :) Voor veel mensen hier is Engels niet de eerste taal[/NL]<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Do you have more information on the attack? Was it against one particular domain? Random subdomain attack?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>There are a few things you could do, but it all depends on the type of the attack.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- On dnsdist, add Dynamic block rules <a href="https://www.dnsdist.org/guides/dynblocks.html">https://www.dnsdist.org/guides/dynblocks.html</a>. This allows you to block clients that e.g. generate a lot queries which result in an NXDomain, or just to rate limiting (but be careful with rate limiting legitimate resolvers)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- If this was a distributed random subdomain attack, it's quite hard to block those. At the time of the attack, you could block the attacked domain in dnsdist, preventing the queries from going to your backend infrastructure. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- In general, MySQL / PostgreSQL backends suffer a lot from the random subdomain attacks :( A faster backend like LMDB can handle 10x or even 100x more qps. So consider moving to one of those faster backends.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Best of luck fighting the bad folk!<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Frank<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"AvenirNext-Regular",serif;color:#F59B22'>Frank Louwers</span><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:8.5pt;font-family:"Futura",serif;color:#154450'>Kiwazo</span></b><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:8.5pt;font-family:"AvenirNext-Regular",serif;color:#154450'>e: <a href="mailto:hello@kiwazo.be">hello@kiwazo.be</a></span><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:8.5pt;font-family:"AvenirNext-Regular",serif;color:#154450'>m: +32 475 66 57 57</span><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Avenir Next",serif;color:black'><br style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;text-align:start;-webkit-text-stroke-width: 0px;word-spacing:0px'><br></span><span style='font-size:10.0pt;font-family:"Avenir Next",serif;color:black'><o:p></o:p></span></p></div><p class=MsoNormal><br><img border=0 width=184 height=55 style='width:1.9166in;height:.5729in' id="Afbeelding_x0020_1" src="cid:image001.png@01DB890E.E6FCDB80"><o:p></o:p></p></div></div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On 27 Feb 2025, at 11:20, Steffan via dnsdist <<a href="mailto:dnsdist@mailman.powerdns.com">dnsdist@mailman.powerdns.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hello All,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>I had the following setup:<br>server ns1:</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Dnsdist -> 127.0.0.1 pdns<br>sql backend replicated database<br>Server ns2:</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>DNSdist -> 127.0.0.1 pdns sql backend replicated database</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Last week I was attacked 3 times.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Flooding my system<span class=apple-converted-space> </span><br>yesterday 53 miljioen hits in 10 minutes</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Im now on nawas DDOs temperarly<br>That was the online way to stop it.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><br>I now splitted my DNS server (multiple resellers)<br>and the above setup is now 3 times so separate the load.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>The question…<br>What is the best way now<br>keep this setup<span class=apple-converted-space> </span><br>- 6x dnsdist<br>- 6 different ns servers</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Or should I use one dnsdist that connects tyo the 6 dns servers for load balancing</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>My idee was to keep this setup and then let all 6 dnsdist connect to the 6 servers so if there are problems I can remove a dns from one of the 6</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>But how to do that without exposing pdns to the public</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Sorry im dutch<span class=apple-converted-space> </span></span><span lang=EN-US style='font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif'>😊</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><br>Hope I made myself clear</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>With regards</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'><br>Steffan</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"HelveticaNeue",serif'>_______________________________________________<br>dnsdist mailing list<br></span><a href="mailto:dnsdist@mailman.powerdns.com"><span style='font-size:10.5pt;font-family:"HelveticaNeue",serif'>dnsdist@mailman.powerdns.com</span></a><span style='font-size:10.5pt;font-family:"HelveticaNeue",serif'><br></span><a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist"><span style='font-size:10.5pt;font-family:"HelveticaNeue",serif'>https://mailman.powerdns.com/mailman/listinfo/dnsdist</span></a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>