[dnsdist] Rate Limiting Against DDOS

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Thu Jan 14 10:17:25 UTC 2016


Thanks for this Bert, 

I know dnsdist, and I'm planning also to use it, but  .... can dnsdist ban IP's which are making a lot of requests and unban it automatically?

Thanks.

-----Original Message-----
From: bert hubert [mailto:bert.hubert at powerdns.com] 
Sent: jueves, 14 de enero de 2016 10:01
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
Cc: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] Rate Limiting Against DDOS

On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> Morning Everyone!!

GOOD MORNING!

> I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> I’m using a modified script who works perfectly, but I’m limited for one of the settings.

Unless you are seeing hundreds of thousands of queries per second, dnsdist might be a better choice for you, http://dnsdist.org/

It has a bunch of simple settings that probably do just what you want.

See for example:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting

But dnsdist offers way more than that to help you. You might for example delay some answers, or strip the RD bit so your servers don't need to do any work for certain subnets etc.

> How do you rate limit your DNS servers?

With dnsdist. Feel free to join us on the dnsdist mailinglist (http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we can make a nice config for you.

	Bert


More information about the dnsdist mailing list