[dnsdist] Rate Limiting Against DDOS

Fri Jan 15 11:42:57 UTC 2016

On Thu, Jan 14, 2016 at 10:46:07PM +0000, Alejandro Adroher Mellado wrote:
> Great explanation Ales, tomorrow i will work on it.
> 
> There is any way in which each dnsdist know the existence of the other?

No, not right now - what do you think they should be talking about?

	Bert

> 
> Alejandro
> 
> El 14/1/2016 11:04 p. m., Aleš Rygl <ales at rygl.net> escribió:
> 
> Hi Alejandro,
> 
> 
> 
> You are right. dnsdist receives the query and forwards it to the recursor.
> I do not see a reason for binding auth servers together with recursors
> directly unless you have a special reason.  Your recursors will be able to
> resolve your domains serverd by your auth.  DNS based on the DNS hierarchy
> anyway.
> 
> 
> 
> I would start like that:
> 
> 
> 
> 1. make sure your recursors are working fine without dnsdist first.
> 
> If you want to use the dnsdist on the same box, make sure, they listen just in port 7753 and they are not using port 53 (use netstat -tunlp), otherwise dnsdist will fail to start. You could also assign a secondary IP and use it just for dnsdist. Perform some queries to them with dig command with the option -p 7753. Check, if they are able to resolve the domains served by your auth DNS.
> 
> 
> 
> 2. run dnsdist on the boxes with recursor. It will listen on 93.47.xxx.34:53 and 93.47.xxx.35:53 on the 2nd box. Use 127.0.0.1:7553 in the server config on each of them first.
> 
> 
> 
> 3. This should work. Each recursor will have dnsdist as a frontend forwarding traffic localy. Verify with dig <a hostname> @93.47.xxx.34 and @93.47.xxx.35.
> 
> If it works you can try to add the 2nd recursor IP to the config of the 1st dnsdist and vice versa in order to have a balanced solution...
> 
> 
> 
> Regards
> 
> Ales
> 
> 
> 
> 
> 
> >
> 
> > AUTH SERVERS (there is a mysql replication between them, from 1 to 2)
> 
> > AUTH1 93.47.xxx.32 (pdns server & mysql backend) - Listening on
> 
> > 93.47.xxx.32:53 pointing to RECURSOR1 on port 7753 AUTH2 93.47.xxx.33 (pdns
> 
> > server & mysql backend) - Listening on port 93.47.xxx.33:53 pointing to
> 
> > RECURSOR2 on port 7753 RECURSOR SERVERS (I want to integrate these 2
> 
> > dnsdist to have 2 loadbalancers pointing this 2 recursors) RECURSOR1
> 
> > 93.47.xxx.34 (pdns-recursor & dnsdist) - Recursor listening on port
> 
> > 93.47.xxx.34:7753 - Dnsdist listening on port 93.47.xxx.34:53 RECURSOR2
> 
> > 93.47.xxx.35 (pdns-recursor & dnsdist) - Recursor listening on port
> 
> > 93.47.xxx.35:7753 - Dnsdist listening on port 93.47.xxx.35:53
> 
> >
> 
> > It's possible? Or maybe I'm wrong understanding in which layer I must use
> 
> > dnsdist?
> 
> >
> 
> > As far as I understand, dnsdist must be one that receives requests and
> 
> > distributes them to the recursors, which send the request to the
> 
> > authoritative DNS server.
> 
> >
> 
> > Thanks a lot DNSfriends!!
> 
> >
> 
> > -----Original Message-----
> 
> > From: Aleš Rygl [mailto:ales at rygl.net]
> 
> > Sent: jueves, 14 de enero de 2016 16:41
> 
> > To: dnsdist at mailman.powerdns.com
> 
> > Cc: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>; Pieter
> 
> > Lexis <pieter.lexis at powerdns.com> Subject: Re: [dnsdist] Rate Limiting
> 
> > Against DDOS
> 
> >
> 
> > Hi Alejandro,
> 
> >
> 
> > I am using a tiny dnsdist setup (so far) together with keepalived on two
> 
> > boxes. There are following servers configured:
> 
> >
> 
> > newServer({address="93.153.116.35:53", name="rzt-entdns3", qps=1000,
> 
> > order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
> 
> > newServer({address="127.0.0.1:53", name="rzt-entdns2", qps=1000, order=1,
> 
> > weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
> 
> > setServerPolicy(wrandom)
> 
> > controlSocket("127.0.0.1")
> 
> > addLocal("93.153.116.33:53")
> 
> >
> 
> > dnsdist listens on 93.153.116.33 (VIP) and distributes queries to 127.0.0.1
> 
> > (local recursor) and renote one at 93.153.116.35. Using keepalived
> 
> > collocated with an recursor can migrate VIP and play with the servers
> 
> > without an impact and have just two boxes. No rocket science, just works.
> 
> >
> 
> > Ales
> 
> >
> 
> > On Thursday 14 of January 2016 15:24:26 Alejandro Adroher Mellado wrote:
> 
> > > I am able to make work dnsdist and recursors only when they are placed on
> 
> > > different servers, when I do that on the same server as I want (can
> 
> > > someone
> 
> > > tell me if it's a good practice?), I cannot reach to LISTEN udp on port 53
> 
> > > ....
> 
> > >
> 
> > > -----Original Message-----
> 
> > > From: dnsdist-bounces at mailman.powerdns.com
> 
> > > [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Pieter Lexis
> 
> > > Sent: jueves, 14 de enero de 2016 16:05
> 
> > > To: dnsdist at mailman.powerdns.com
> 
> > > Subject: Re: [dnsdist] Rate Limiting Against DDOS
> 
> > >
> 
> > > Hi Alejandro,
> 
> > >
> 
> > > On Thu, 14 Jan 2016 15:01:28 +0000
> 
> > >
> 
> > > Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com> wrote:
> 
> > > > (on documentation is placed on /etc/dnsdist.conf but on my recent
> 
> > > > installed dnsdist it's placed on /etc/init/dnsdist.conf)
> 
> > >
> 
> > > The correct location (when using a package) is /etc/dnsdist/dnsdist.conf.
> 
> > > The /etc/init/dnsdist.conf is for the upstart init-system.
> 
> > >
> 
> > > --
> 
> > > Pieter Lexis
> 
> > > PowerDNS.COM BV -- https://www.powerdns.com
> 
> > >
> 
> > > _______________________________________________
> 
> > > dnsdist mailing list
> 
> > > dnsdist at mailman.powerdns.com
> 
> > > http://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
> > >
> 
> > > _______________________________________________
> 
> > > dnsdist mailing list
> 
> > > dnsdist at mailman.powerdns.com
> 
> > > http://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
> 

> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist