[dnsdist] Rate Limiting Against DDOS

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Thu Jan 14 15:01:28 UTC 2016 

Once time the applications are installed on both Recursor Servers I will try to go step by step. Maybe we can do a little manual all together.

First I need to know is on which port set the dnsdist. As far I understand, I need to set it on port 53  moving the recursor port to another(in that case 7753).  (not sure about it)

1st  Create the basic config file dnsdist.conf
(on documentation is placed on /etc/dnsdist.conf but on my recent installed dnsdist it's placed on /etc/init/dnsdist.conf)

newServer{address=" IP-recursor1:7753", checkType="A", checkName="www.google.com.", mustResolve=true, qps=100, order=1}
newServer{address=" IP-recursor2:7753, checkType="A", checkName="www.google.com.", mustResolve=true, qps=100, order=2}
setServerPolicy(firstAvailable)
webserver("IPrecursor1:8083", "password")

On the other server config file the two newServer lines will be swapped.

Once time checked this config ... I launch dnsdist and I get two downstream servers up, also the webserver but dnsdist still listening con local port 127.0.0.1:53 when in the config file I use the external ip's of the servers.

What is happening? There is nothing listening on External-IP:53

-----Original Message-----
From: dnsdist-bounces at mailman.powerdns.com [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Alejandro Adroher Mellado
Sent: jueves, 14 de enero de 2016 12:44
To: bert hubert <bert.hubert at powerdns.com>
Cc: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Rate Limiting Against DDOS

Many thanks Bert!

I have a week to install 2 dnsdist on 2 pdns-recursors (Ubuntu 14.04) and make it work without problems.
I hope that the documentation available is enough for me.

Any advice about these "nice config" you talked about?

Thanks again.

-----Original Message-----
From: bert hubert [mailto:bert.hubert at powerdns.com]
Sent: jueves, 14 de enero de 2016 11:56
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
Cc: dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Rate Limiting Against DDOS

On Thu, Jan 14, 2016 at 10:17:25AM +0000, Alejandro Adroher Mellado wrote:
> I know dnsdist, and I'm planning also to use it, but  .... can dnsdist 
> ban IP's which are making a lot of requests and unban it automatically?

Actually, yes, although this is not documented well:

function maintenance()
        addDynBlocks(exceedQTypeRate(1, 10, 10), "Exceeded A query rate", 60) end

This adds a 60 second dynamic block to any IP address that exceeds 10 A queries per second over 10 seconds, and leaves the block in place for 60 seconds.

Later today (currently building), dnsdist will support this:

function maintenance()
        addDynBlocks(exceedQRate(10, 10), "Exceeded query rate", 60) end

Which we somehow neglected to implement. This blocks IP addresses doing more than 10 queries/s over 10 seconds for any query type.

You can also do: showDynBlocks() to get an overview of what is blocked, or clearDynBlocks().

> showDynBlocks()
Netmask                   Seconds   Blocks Reason
127.0.0.1/32                   53        2 Exceeded query rate
::1/128                        60        2 Exceeded query rate

The function 'maintenance' gets called every second, and you can do lots of things there: 

exceedServFails(rate, seconds): get set of addresses that exceed rate servails/s over seconds seconds

exceedNXDOMAINs(rate, seconds): get set of addresses that exceed rate NXDOMAIN/s over seconds seconds

exceedRespByterate(rate, seconds): get set of addresses that exeeded rate bytes/s answers over seconds seconds

exceedQTypeRate(type, rate, seconds): get set of address that exceed rate queries/s for queries of type type over seconds seconds

See https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md

Enjoy!

	Bert

> 
> Thanks.
> 
> -----Original Message-----
> From: bert hubert [mailto:bert.hubert at powerdns.com]
> Sent: jueves, 14 de enero de 2016 10:01
> To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
> Cc: pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] Rate Limiting Against DDOS
> 
> On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> > Morning Everyone!!
> 
> GOOD MORNING!
> 
> > I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> > I’m using a modified script who works perfectly, but I’m limited for one of the settings.
> 
> Unless you are seeing hundreds of thousands of queries per second, 
> dnsdist might be a better choice for you, http://dnsdist.org/
> 
> It has a bunch of simple settings that probably do just what you want.
> 
> See for example:
> https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#pe
> r-domain-or-subnet-qps-limiting
> 
> But dnsdist offers way more than that to help you. You might for example delay some answers, or strip the RD bit so your servers don't need to do any work for certain subnets etc.
> 
> > How do you rate limit your DNS servers?
> 
> With dnsdist. Feel free to join us on the dnsdist mailinglist (http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we can make a nice config for you.
> 
> 	Bert
_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list