[Pdns-users] Fwd: DNS RRL for PowerDNS
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Sep 13 14:44:39 UTC 2012
Hi Jörg!
On 13.09.2012 14:17, joerg jungermann wrote:
> Hi Klaus!
>
>> Are there any plans to implement DNS RRL
>> (http://www.redbarn.org/dns/ratelimits) or similar for PowerDNS? These
>> DNS amplification attacks are really annoying.
> Yes, this might be a nice feature.
>
> As DNS traffic regularily constists of a lot of small UDP packets, that
> have to be transport from kernel space to the application.
>
> This is very expensive if you consider a friend $IP, will hit the limit and
> you think about dropping those queries and you have a lot of DNS traffic.
>
> But if you are using a Un*x system like *BSD or Linux you are able to
> archieve this via $PACKETFILTER of the kernel.
>
> On linux you can use the iptables hashlimit match in srcip mode for this.
>
> example:
> -p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
> --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
> --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse
>
Thanks for the iptables rule. I think I will try to combine it with a
check for ANY queries to only block the current ongoing ANY attacks and
to avoid false positive. And it could help reducing the number of IP
addresses which have to tracked by the hashlimit module.
btw: In current ANY queries the UDP source port correlates with the DNS
transaction id. I have not found any means to compare those values in an
iptables rule - are you aware of such a rule?
thanks
Klaus
More information about the Pdns-users
mailing list