[dnsdist] Rate Limiting Against DDOS

bert hubert bert.hubert at netherlabs.nl
Thu Jan 14 12:36:03 UTC 2016 

On Thu, Jan 14, 2016 at 11:43:52AM +0000, Alejandro Adroher Mellado wrote:
> I have a week to install 2 dnsdist on 2 pdns-recursors (Ubuntu 14.04) and make it work without problems.
> I hope that the documentation available is enough for me.

Hi Alejandro,

We just added this:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#dynamic-rule-generation

Packages to match are queued in our builder.

> Any advice about these "nice config" you talked about?

Well, that depends on what you want. You can use the functions linked above
to block clients that cause too many queries, or too many ANY queries, too
many servfails, or use too much bandwidth. 

If you'd like to block on anything else, please let us know.

	Bert

> 
> Thanks again.
> 
> -----Original Message-----
> From: bert hubert [mailto:bert.hubert at powerdns.com] 
> Sent: jueves, 14 de enero de 2016 11:56
> To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
> Cc: dnsdist at mailman.powerdns.com
> Subject: Re: [dnsdist] Rate Limiting Against DDOS
> 
> On Thu, Jan 14, 2016 at 10:17:25AM +0000, Alejandro Adroher Mellado wrote:
> > I know dnsdist, and I'm planning also to use it, but  .... can dnsdist 
> > ban IP's which are making a lot of requests and unban it automatically?
> 
> Actually, yes, although this is not documented well:
> 
> function maintenance()
>         addDynBlocks(exceedQTypeRate(1, 10, 10), "Exceeded A query rate", 60) end
> 
> This adds a 60 second dynamic block to any IP address that exceeds 10 A queries per second over 10 seconds, and leaves the block in place for 60 seconds.
> 
> Later today (currently building), dnsdist will support this:
> 
> function maintenance()
>         addDynBlocks(exceedQRate(10, 10), "Exceeded query rate", 60) end
> 
> Which we somehow neglected to implement. This blocks IP addresses doing more than 10 queries/s over 10 seconds for any query type.
> 
> You can also do: showDynBlocks() to get an overview of what is blocked, or clearDynBlocks().
> 
> > showDynBlocks()
> Netmask                   Seconds   Blocks Reason
> 127.0.0.1/32                   53        2 Exceeded query rate
> ::1/128                        60        2 Exceeded query rate
> 
> The function 'maintenance' gets called every second, and you can do lots of things there: 
> 
> exceedServFails(rate, seconds): get set of addresses that exceed rate servails/s over seconds seconds
> 
> exceedNXDOMAINs(rate, seconds): get set of addresses that exceed rate NXDOMAIN/s over seconds seconds
> 
> exceedRespByterate(rate, seconds): get set of addresses that exeeded rate bytes/s answers over seconds seconds
> 
> exceedQTypeRate(type, rate, seconds): get set of address that exceed rate queries/s for queries of type type over seconds seconds
> 
> See https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md
> 
> Enjoy!
> 
> 	Bert
> 
> > 
> > Thanks.
> > 
> > -----Original Message-----
> > From: bert hubert [mailto:bert.hubert at powerdns.com]
> > Sent: jueves, 14 de enero de 2016 10:01
> > To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
> > Cc: pdns-users at mailman.powerdns.com
> > Subject: Re: [Pdns-users] Rate Limiting Against DDOS
> > 
> > On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> > > Morning Everyone!!
> > 
> > GOOD MORNING!
> > 
> > > I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> > > I’m using a modified script who works perfectly, but I’m limited for one of the settings.
> > 
> > Unless you are seeing hundreds of thousands of queries per second, 
> > dnsdist might be a better choice for you, http://dnsdist.org/
> > 
> > It has a bunch of simple settings that probably do just what you want.
> > 
> > See for example:
> > https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#pe
> > r-domain-or-subnet-qps-limiting
> > 
> > But dnsdist offers way more than that to help you. You might for example delay some answers, or strip the RD bit so your servers don't need to do any work for certain subnets etc.
> > 
> > > How do you rate limit your DNS servers?
> > 
> > With dnsdist. Feel free to join us on the dnsdist mailinglist (http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we can make a nice config for you.
> > 
> > 	Bert

More information about the dnsdist mailing list