[dnsdist] Rate Limiting Against DDOS

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Thu Jan 14 17:01:56 UTC 2016


Hi Ales,  thanks for your help. Much appreciate.

In can't get my server to listen on 53 udp port ... and I don't know why.
Maybe is better to explain first my environment

AUTH SERVERS (there is a mysql replication between them, from 1 to 2)
AUTH1 93.47.xxx.32 (pdns server & mysql backend) - Listening on 93.47.xxx.32:53 pointing to RECURSOR1 on port 7753
AUTH2 93.47.xxx.33 (pdns server & mysql backend) - Listening on port 93.47.xxx.33:53 pointing to RECURSOR2 on port 7753
RECURSOR SERVERS (I want to integrate these 2 dnsdist to have 2 loadbalancers pointing this 2 recursors)
RECURSOR1 93.47.xxx.34 (pdns-recursor & dnsdist) - Recursor listening on port 93.47.xxx.34:7753 - Dnsdist listening on port 93.47.xxx.34:53
RECURSOR2 93.47.xxx.35 (pdns-recursor & dnsdist) - Recursor listening on port 93.47.xxx.35:7753 - Dnsdist listening on port 93.47.xxx.35:53

It's possible? Or maybe I'm wrong understanding in which layer I must use dnsdist?

As far as I understand, dnsdist must be one that receives requests and distributes them to the recursors, which send the request to the authoritative DNS server.

Thanks a lot DNSfriends!! 

-----Original Message-----
From: AleŇ° Rygl [mailto:ales at rygl.net] 
Sent: jueves, 14 de enero de 2016 16:41
To: dnsdist at mailman.powerdns.com
Cc: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>; Pieter Lexis <pieter.lexis at powerdns.com>
Subject: Re: [dnsdist] Rate Limiting Against DDOS

Hi Alejandro,

I am using a tiny dnsdist setup (so far) together with keepalived on two boxes. There are following servers configured:

newServer({address="93.153.116.35:53", name="rzt-entdns3", qps=1000, order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
newServer({address="127.0.0.1:53", name="rzt-entdns2", qps=1000, order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
setServerPolicy(wrandom)
controlSocket("127.0.0.1") 
addLocal("93.153.116.33:53")

dnsdist listens on 93.153.116.33 (VIP) and distributes queries to 127.0.0.1 (local recursor) and renote one at 93.153.116.35.
Using keepalived collocated with an recursor can migrate VIP and play with the servers without an impact and have just two boxes. No rocket science, just works.

Ales



On Thursday 14 of January 2016 15:24:26 Alejandro Adroher Mellado wrote:
> I am able to make work dnsdist and recursors only when they are placed on
> different servers, when I do that on the same server as I want (can someone
> tell me if it's a good practice?), I cannot reach to LISTEN udp on port 53
> ....
> 
> -----Original Message-----
> From: dnsdist-bounces at mailman.powerdns.com
> [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Pieter Lexis
> Sent: jueves, 14 de enero de 2016 16:05
> To: dnsdist at mailman.powerdns.com
> Subject: Re: [dnsdist] Rate Limiting Against DDOS
> 
> Hi Alejandro,
> 
> On Thu, 14 Jan 2016 15:01:28 +0000
> 
> Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com> wrote:
> > (on documentation is placed on /etc/dnsdist.conf but on my recent
> > installed dnsdist it's placed on /etc/init/dnsdist.conf)
> 
> The correct location (when using a package) is /etc/dnsdist/dnsdist.conf.
> The /etc/init/dnsdist.conf is for the upstart init-system.
> 
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist





More information about the dnsdist mailing list