[dnsdist] Rate Limiting Against DDOS
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Fri Jan 15 11:57:31 UTC 2016
Just I was thinking about two load balancers maybe can create a query loop if they are wrongly configured.
Just thougth about unify tehe loadbalancers policy
-----Original Message-----
From: bert hubert [mailto:bert.hubert at netherlabs.nl]
Sent: viernes, 15 de enero de 2016 12:43
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
Cc: Aleš Rygl <ales at rygl.net>; dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Rate Limiting Against DDOS
On Thu, Jan 14, 2016 at 10:46:07PM +0000, Alejandro Adroher Mellado wrote:
> Great explanation Ales, tomorrow i will work on it.
>
> There is any way in which each dnsdist know the existence of the other?
No, not right now - what do you think they should be talking about?
Bert
>
> Alejandro
>
> El 14/1/2016 11:04 p. m., Aleš Rygl <ales at rygl.net> escribió:
>
> Hi Alejandro,
>
>
>
> You are right. dnsdist receives the query and forwards it to the recursor.
> I do not see a reason for binding auth servers together with recursors
> directly unless you have a special reason. Your recursors will be
> able to resolve your domains serverd by your auth. DNS based on the
> DNS hierarchy anyway.
>
>
>
> I would start like that:
>
>
>
> 1. make sure your recursors are working fine without dnsdist first.
>
> If you want to use the dnsdist on the same box, make sure, they listen just in port 7753 and they are not using port 53 (use netstat -tunlp), otherwise dnsdist will fail to start. You could also assign a secondary IP and use it just for dnsdist. Perform some queries to them with dig command with the option -p 7753. Check, if they are able to resolve the domains served by your auth DNS.
>
>
>
> 2. run dnsdist on the boxes with recursor. It will listen on 93.47.xxx.34:53 and 93.47.xxx.35:53 on the 2nd box. Use 127.0.0.1:7553 in the server config on each of them first.
>
>
>
> 3. This should work. Each recursor will have dnsdist as a frontend forwarding traffic localy. Verify with dig <a hostname> @93.47.xxx.34 and @93.47.xxx.35.
>
> If it works you can try to add the 2nd recursor IP to the config of the 1st dnsdist and vice versa in order to have a balanced solution...
>
>
>
> Regards
>
> Ales
>
>
>
>
>
> >
>
> > AUTH SERVERS (there is a mysql replication between them, from 1 to
> > 2)
>
> > AUTH1 93.47.xxx.32 (pdns server & mysql backend) - Listening on
>
> > 93.47.xxx.32:53 pointing to RECURSOR1 on port 7753 AUTH2
> > 93.47.xxx.33 (pdns
>
> > server & mysql backend) - Listening on port 93.47.xxx.33:53 pointing
> > to
>
> > RECURSOR2 on port 7753 RECURSOR SERVERS (I want to integrate these 2
>
> > dnsdist to have 2 loadbalancers pointing this 2 recursors) RECURSOR1
>
> > 93.47.xxx.34 (pdns-recursor & dnsdist) - Recursor listening on port
>
> > 93.47.xxx.34:7753 - Dnsdist listening on port 93.47.xxx.34:53
> > RECURSOR2
>
> > 93.47.xxx.35 (pdns-recursor & dnsdist) - Recursor listening on port
>
> > 93.47.xxx.35:7753 - Dnsdist listening on port 93.47.xxx.35:53
>
> >
>
> > It's possible? Or maybe I'm wrong understanding in which layer I
> > must use
>
> > dnsdist?
>
> >
>
> > As far as I understand, dnsdist must be one that receives requests
> > and
>
> > distributes them to the recursors, which send the request to the
>
> > authoritative DNS server.
>
> >
>
> > Thanks a lot DNSfriends!!
>
> >
>
> > -----Original Message-----
>
> > From: Aleš Rygl [mailto:ales at rygl.net]
>
> > Sent: jueves, 14 de enero de 2016 16:41
>
> > To: dnsdist at mailman.powerdns.com
>
> > Cc: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>;
> > Pieter
>
> > Lexis <pieter.lexis at powerdns.com> Subject: Re: [dnsdist] Rate
> > Limiting
>
> > Against DDOS
>
> >
>
> > Hi Alejandro,
>
> >
>
> > I am using a tiny dnsdist setup (so far) together with keepalived on
> > two
>
> > boxes. There are following servers configured:
>
> >
>
> > newServer({address="93.153.116.35:53", name="rzt-entdns3", qps=1000,
>
> > order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
>
> > newServer({address="127.0.0.1:53", name="rzt-entdns2", qps=1000,
> > order=1,
>
> > weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
>
> > setServerPolicy(wrandom)
>
> > controlSocket("127.0.0.1")
>
> > addLocal("93.153.116.33:53")
>
> >
>
> > dnsdist listens on 93.153.116.33 (VIP) and distributes queries to
> > 127.0.0.1
>
> > (local recursor) and renote one at 93.153.116.35. Using keepalived
>
> > collocated with an recursor can migrate VIP and play with the
> > servers
>
> > without an impact and have just two boxes. No rocket science, just works.
>
> >
>
> > Ales
>
> >
>
> > On Thursday 14 of January 2016 15:24:26 Alejandro Adroher Mellado wrote:
>
> > > I am able to make work dnsdist and recursors only when they are
> > > placed on
>
> > > different servers, when I do that on the same server as I want
> > > (can
>
> > > someone
>
> > > tell me if it's a good practice?), I cannot reach to LISTEN udp on
> > > port 53
>
> > > ....
>
> > >
>
> > > -----Original Message-----
>
> > > From: dnsdist-bounces at mailman.powerdns.com
>
> > > [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Pieter
> > > Lexis
>
> > > Sent: jueves, 14 de enero de 2016 16:05
>
> > > To: dnsdist at mailman.powerdns.com
>
> > > Subject: Re: [dnsdist] Rate Limiting Against DDOS
>
> > >
>
> > > Hi Alejandro,
>
> > >
>
> > > On Thu, 14 Jan 2016 15:01:28 +0000
>
> > >
>
> > > Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com> wrote:
>
> > > > (on documentation is placed on /etc/dnsdist.conf but on my
> > > > recent
>
> > > > installed dnsdist it's placed on /etc/init/dnsdist.conf)
>
> > >
>
> > > The correct location (when using a package) is /etc/dnsdist/dnsdist.conf.
>
> > > The /etc/init/dnsdist.conf is for the upstart init-system.
>
> > >
>
> > > --
>
> > > Pieter Lexis
>
> > > PowerDNS.COM BV -- https://www.powerdns.com
>
> > >
>
> > > _______________________________________________
>
> > > dnsdist mailing list
>
> > > dnsdist at mailman.powerdns.com
>
> > > http://mailman.powerdns.com/mailman/listinfo/dnsdist
>
> > >
>
> > > _______________________________________________
>
> > > dnsdist mailing list
>
> > > dnsdist at mailman.powerdns.com
>
> > > http://mailman.powerdns.com/mailman/listinfo/dnsdist
>
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist
More information about the dnsdist
mailing list