<div dir="ltr"><div dir="ltr">On Fri, Jul 16, 2021 at 12:21 PM Peter van Dijk via Pdns-users <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On Fri, 2021-07-16 at 12:08 +0200, Thomas Mieslinger via Pdns-users<br>
wrote:<br>
> Suggestions from older threads (Klaus Darrilon):<br>
> - Put that zone in a more efficent Backend (he suggested lmdb)<br>
<br>
Good idea.<br>
<br>
> - Put that zone in a more efficent Software (he suggested nsd) and use<br>
> dnsdist to route the traffic to the alternate Software<br>
<br>
Also a good idea.<br>
<br></blockquote><div><br></div><div><br></div><div>Not to mention, you could use dnsdist (fronting a localhost pdns on an alternate port, bound to 127.0.0.1) to match that base domain name and apply a rate limit against it sending queries for that domain to the backend.</div><div><br></div><div>It's a couple of extra lines of Lua. I've not actually used the rate limiting so I don't have a handy example but it'd be something like:</div><div><br></div><div>-- Match on .<a href="http://mydomain.com">mydomain.com</a> and rate limit it</div><div>addAction( RegexRule( "\\.mydomain\\.com$" ), QPSAction( your_desired_rate_limit ) )<br></div><div>-- Fall through for everything else</div><div>addAction( AllRule(), PoolAction( "your_backend_pool" ) )<br></div><div><br></div><div>Lua regexes are a little weird. Definitely note the double escapes in the regex. It doesn't treat the period as an escaped period in RegexRule if you only have one "\" (and you'll want to tear out your hair when it matches <a href="http://itsmydomain.com">itsmydomain.com</a> and <a href="http://blahblahmydomain.com">blahblahmydomain.com</a>).</div><div><br></div><div>I'm assuming that the domain under attack is one that you care about, vs a purely garbage domain, in which case you could just block it at the dnsdist level too.<br></div><div> </div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
> Very old suggestion:<br>
> - Use a firewall uint32 match to lock out queries to the attacked zone.<br>
<br>
Should work, bit more work to manage.<br>
<br>
> Crazy idea:<br>
> - enable DNSSec on that zone<br>
> - setup pdns recursor or similar add delegate the zone to it<br>
> - pdns-recursor should now be able to efficiently calculate the<br>
> NXDOMAINs based on NSEC/NSEC3 information<br>
<br>
Recursor can do that, but it cannot serve the zone to the world. It is<br>
not an Authoritative server.<br>
<br>
So, sadly, this suggestion does not work.<br>
<br>
Kind regards,<br>
-- <br>
Peter van Dijk<br>
PowerDNS.COM BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><br>
<br>
_______________________________________________<br>
Pdns-users mailing list<br>
<a href="mailto:Pdns-users@mailman.powerdns.com" target="_blank">Pdns-users@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
</blockquote></div></div>