[dnsdist] Rate Limiting Against DDOS
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Thu Jan 14 10:17:25 UTC 2016
Thanks for this Bert,
I know dnsdist, and I'm planning also to use it, but .... can dnsdist ban IP's which are making a lot of requests and unban it automatically?
Thanks.
-----Original Message-----
From: bert hubert [mailto:bert.hubert at powerdns.com]
Sent: jueves, 14 de enero de 2016 10:01
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
Cc: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] Rate Limiting Against DDOS
On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> Morning Everyone!!
GOOD MORNING!
> I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> I’m using a modified script who works perfectly, but I’m limited for one of the settings.
Unless you are seeing hundreds of thousands of queries per second, dnsdist might be a better choice for you, http://dnsdist.org/
It has a bunch of simple settings that probably do just what you want.
See for example:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
But dnsdist offers way more than that to help you. You might for example delay some answers, or strip the RD bit so your servers don't need to do any work for certain subnets etc.
> How do you rate limit your DNS servers?
With dnsdist. Feel free to join us on the dnsdist mailinglist (http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we can make a nice config for you.
Bert
More information about the dnsdist
mailing list