[dnsdist] Rate Limiting Against DDOS

Aleš Rygl ales at rygl.net
Thu Jan 14 22:04:12 UTC 2016 

Hi Alejandro,

You are right. dnsdist receives the query and forwards it to the recursor. I do not see a 
reason for binding auth servers together with recursors directly unless you have a 
special reason. Your recursors will be able to resolve your domains serverd by your 
auth. DNS based on the DNS hierarchy anyway.

I would start like that:

1. make sure your recursors are working fine without dnsdist first. 
 If you want to use the dnsdist on the same box, make sure, they listen just in port 
7753 and they are not using port 53 (use netstat -tunlp), otherwise dnsdist will fail to 
start. You could also assign a secondary IP and use it just for dnsdist. Perform some 
queries to them with dig command with the option -p 7753. Check, if they are able to 
resolve the domains served by your auth DNS.

2. run dnsdist on the boxes with recursor. It will listen  on 93.47.xxx.34:53 and 
93.47.xxx.35:53 on the 2nd box.  Use 127.0.0.1:7553 in the server config on each of 
them first.

3. This should work. Each recursor will have dnsdist as a frontend forwarding traffic 
localy. Verify with dig <a hostname> @93.47.xxx.34 and @93.47.xxx.35.
If it works you can try to add the 2nd recursor IP to the config of the 1st dnsdist and 
vice versa in order to have a balanced solution...

Regards
Ales


> 
> AUTH SERVERS (there is a mysql replication between them, from 1 to 2)
> AUTH1 93.47.xxx.32 (pdns server & mysql backend) - Listening on
> 93.47.xxx.32:53 pointing to RECURSOR1 on port 7753 AUTH2 93.47.xxx.33 (pdns
> server & mysql backend) - Listening on port 93.47.xxx.33:53 pointing to
> RECURSOR2 on port 7753 RECURSOR SERVERS (I want to integrate these 2
> dnsdist to have 2 loadbalancers pointing this 2 recursors) RECURSOR1
> 93.47.xxx.34 (pdns-recursor & dnsdist) - Recursor listening on port
> 93.47.xxx.34:7753 - Dnsdist listening on port 93.47.xxx.34:53 RECURSOR2
> 93.47.xxx.35 (pdns-recursor & dnsdist) - Recursor listening on port
> 93.47.xxx.35:7753 - Dnsdist listening on port 93.47.xxx.35:53
> 
> It's possible? Or maybe I'm wrong understanding in which layer I must use
> dnsdist?
> 
> As far as I understand, dnsdist must be one that receives requests and
> distributes them to the recursors, which send the request to the
> authoritative DNS server.
> 
> Thanks a lot DNSfriends!!
> 
> -----Original Message-----
> From: Aleš Rygl [mailto:ales at rygl.net]
> Sent: jueves, 14 de enero de 2016 16:41
> To: dnsdist at mailman.powerdns.com
> Cc: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>; Pieter
> Lexis <pieter.lexis at powerdns.com> Subject: Re: [dnsdist] Rate Limiting
> Against DDOS
> 
> Hi Alejandro,
> 
> I am using a tiny dnsdist setup (so far) together with keepalived on two
> boxes. There are following servers configured:
> 
> newServer({address="93.153.116.35:53", name="rzt-entdns3", qps=1000,
> order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
> newServer({address="127.0.0.1:53", name="rzt-entdns2", qps=1000, order=1,
> weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
> setServerPolicy(wrandom)
> controlSocket("127.0.0.1")
> addLocal("93.153.116.33:53")
> 
> dnsdist listens on 93.153.116.33 (VIP) and distributes queries to 127.0.0.1
> (local recursor) and renote one at 93.153.116.35. Using keepalived
> collocated with an recursor can migrate VIP and play with the servers
> without an impact and have just two boxes. No rocket science, just works.
> 
> Ales
> 
> On Thursday 14 of January 2016 15:24:26 Alejandro Adroher Mellado wrote:
> > I am able to make work dnsdist and recursors only when they are placed on
> > different servers, when I do that on the same server as I want (can
> > someone
> > tell me if it's a good practice?), I cannot reach to LISTEN udp on port 53
> > ....
> > 
> > -----Original Message-----
> > From: dnsdist-bounces at mailman.powerdns.com
> > [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Pieter Lexis
> > Sent: jueves, 14 de enero de 2016 16:05
> > To: dnsdist at mailman.powerdns.com
> > Subject: Re: [dnsdist] Rate Limiting Against DDOS
> > 
> > Hi Alejandro,
> > 
> > On Thu, 14 Jan 2016 15:01:28 +0000
> > 
> > Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com> wrote:
> > > (on documentation is placed on /etc/dnsdist.conf but on my recent
> > > installed dnsdist it's placed on /etc/init/dnsdist.conf)
> > 
> > The correct location (when using a package) is /etc/dnsdist/dnsdist.conf.
> > The /etc/init/dnsdist.conf is for the upstart init-system.
> > 
> > --
> > Pieter Lexis
> > PowerDNS.COM BV -- https://www.powerdns.com
> > 
> > _______________________________________________
> > dnsdist mailing list
> > dnsdist at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/dnsdist
> > 
> > _______________________________________________
> > dnsdist mailing list
> > dnsdist at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/dnsdist

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20160114/b437a390/attachment.html>

More information about the dnsdist mailing list