[dnsdist] Rate Limiting Against DDOS

bert hubert bert.hubert at powerdns.com
Thu Jan 14 10:56:01 UTC 2016 

On Thu, Jan 14, 2016 at 10:17:25AM +0000, Alejandro Adroher Mellado wrote:
> I know dnsdist, and I'm planning also to use it, but  .... can dnsdist ban IP's which are making a lot of requests and unban it
> automatically?

Actually, yes, although this is not documented well:

function maintenance()
        addDynBlocks(exceedQTypeRate(1, 10, 10), "Exceeded A query rate", 60)
end

This adds a 60 second dynamic block to any IP address that exceeds 10
A queries per second over 10 seconds, and leaves the block in place for 60
seconds.

Later today (currently building), dnsdist will support this:

function maintenance()
        addDynBlocks(exceedQRate(10, 10), "Exceeded query rate", 60)
end

Which we somehow neglected to implement. This blocks IP addresses doing more
than 10 queries/s over 10 seconds for any query type.

You can also do: showDynBlocks() to get an overview of what is blocked, or
clearDynBlocks().

> showDynBlocks()
Netmask                   Seconds   Blocks Reason
127.0.0.1/32                   53        2 Exceeded query rate
::1/128                        60        2 Exceeded query rate

The function 'maintenance' gets called every second, and you can do lots of
things there: 

exceedServFails(rate, seconds): get set of addresses that exceed rate
servails/s over seconds seconds

exceedNXDOMAINs(rate, seconds): get set of addresses that exceed rate
NXDOMAIN/s over seconds seconds

exceedRespByterate(rate, seconds): get set of addresses that exeeded rate
bytes/s answers over seconds seconds

exceedQTypeRate(type, rate, seconds): get set of address that exceed rate
queries/s for queries of type type over seconds seconds

See https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md

Enjoy!

	Bert

> 
> Thanks.
> 
> -----Original Message-----
> From: bert hubert [mailto:bert.hubert at powerdns.com] 
> Sent: jueves, 14 de enero de 2016 10:01
> To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
> Cc: pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] Rate Limiting Against DDOS
> 
> On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> > Morning Everyone!!
> 
> GOOD MORNING!
> 
> > I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> > I’m using a modified script who works perfectly, but I’m limited for one of the settings.
> 
> Unless you are seeing hundreds of thousands of queries per second, dnsdist might be a better choice for you, http://dnsdist.org/
> 
> It has a bunch of simple settings that probably do just what you want.
> 
> See for example:
> https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting
> 
> But dnsdist offers way more than that to help you. You might for example delay some answers, or strip the RD bit so your servers don't need to do any work for certain subnets etc.
> 
> > How do you rate limit your DNS servers?
> 
> With dnsdist. Feel free to join us on the dnsdist mailinglist (http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we can make a nice config for you.
> 
> 	Bert

More information about the dnsdist mailing list