[dnsdist] Rate Limiting Against DDOS

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Fri Jan 15 17:02:41 UTC 2016


Thanks Bert, thank Ales!

I finally got that "dnsdist" work with your advices.
I don’t feel really sure about the config but it works and it load balance the queries.

I have something like this:

Server 1 (recursor on 127.0.0.1:53 and dnsdist on publicIP:53)
newServer({address="DNS-DIST-ON-SERVER-2:53", name="dnsdist-Rec-2", qps=100, order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
newServer({address="127.0.0.1:53", name="dnsdist-Rec-1", qps=100, order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
setServerPolicy(firstAvailable)
controlSocket("127.0.0.1")
addLocal("LocalPublicIP:53")
addACL("LocalSubnet.0/24")
webserver("LocalPublicIP:8083", "mysecretpass")

Server 2 (recursor on 127.0.0.1:53 and dnsdist on publicIP:53)
newServer({address="DNS-DIST-ON-SERVER-1:53", name="dnsdist-Rec-1", qps=100, order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
newServer({address="127.0.0.1:53", name="dnsdist-Rec-2", qps=100, order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
setServerPolicy(firstAvailable)
controlSocket("127.0.0.1")
addLocal("LocalPublicIP:53")
addACL("LocalSubnet.0/24")
webserver("LocalPublicIP:8083", "mysecretpass")
 

now, if I do a stress test over the server 1, with 200qps I got some strange statistics on the webservice (during the test)

server 1
#	Name	                Address	        Status	Latency	Queries	Drops	QPS	Out	Weight	Order-Pools
0	dnsdist-Rec-2	xx.xx.xxx.xx:53	up	358	8910	299	106	40	1	1	
1	dnsdist-Rec-1	127.0.0.1:53	up	289	10354	267	141	42	1	1	

server 2
#	Name	                Address             Status	Latency	Queries	Drops	QPS	Out	Weight	Order-Pools
0	dnsdist-Rec-1	xx.xx.xxx.xx:53	up	169	7303	226	54	21	1	1	
1	dnsdist-Rec-2	127.0.0.1:53	up	241	7103	258	53	24	1	1	

I can see on real-time like 354 QPS, it means that I'm doing something wrong? Maybe a query loop between servers?? XDDD
Or maybe it's normal...

It's Friday guys!!! 

Nice weekend for everyone!




-----Original Message-----
From: bert hubert [mailto:bert.hubert at netherlabs.nl] 
Sent: viernes, 15 de enero de 2016 12:43
To: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>
Cc: Aleš Rygl <ales at rygl.net>; dnsdist at mailman.powerdns.com
Subject: Re: [dnsdist] Rate Limiting Against DDOS

On Thu, Jan 14, 2016 at 10:46:07PM +0000, Alejandro Adroher Mellado wrote:
> Great explanation Ales, tomorrow i will work on it.
> 
> There is any way in which each dnsdist know the existence of the other?

No, not right now - what do you think they should be talking about?

	Bert

> 
> Alejandro
> 
> El 14/1/2016 11:04 p. m., Aleš Rygl <ales at rygl.net> escribió:
> 
> Hi Alejandro,
> 
> 
> 
> You are right. dnsdist receives the query and forwards it to the recursor.
> I do not see a reason for binding auth servers together with recursors 
> directly unless you have a special reason.  Your recursors will be 
> able to resolve your domains serverd by your auth.  DNS based on the 
> DNS hierarchy anyway.
> 
> 
> 
> I would start like that:
> 
> 
> 
> 1. make sure your recursors are working fine without dnsdist first.
> 
> If you want to use the dnsdist on the same box, make sure, they listen just in port 7753 and they are not using port 53 (use netstat -tunlp), otherwise dnsdist will fail to start. You could also assign a secondary IP and use it just for dnsdist. Perform some queries to them with dig command with the option -p 7753. Check, if they are able to resolve the domains served by your auth DNS.
> 
> 
> 
> 2. run dnsdist on the boxes with recursor. It will listen on 93.47.xxx.34:53 and 93.47.xxx.35:53 on the 2nd box. Use 127.0.0.1:7553 in the server config on each of them first.
> 
> 
> 
> 3. This should work. Each recursor will have dnsdist as a frontend forwarding traffic localy. Verify with dig <a hostname> @93.47.xxx.34 and @93.47.xxx.35.
> 
> If it works you can try to add the 2nd recursor IP to the config of the 1st dnsdist and vice versa in order to have a balanced solution...
> 
> 
> 
> Regards
> 
> Ales
> 
> 
> 
> 
> 
> >
> 
> > AUTH SERVERS (there is a mysql replication between them, from 1 to 
> > 2)
> 
> > AUTH1 93.47.xxx.32 (pdns server & mysql backend) - Listening on
> 
> > 93.47.xxx.32:53 pointing to RECURSOR1 on port 7753 AUTH2 
> > 93.47.xxx.33 (pdns
> 
> > server & mysql backend) - Listening on port 93.47.xxx.33:53 pointing 
> > to
> 
> > RECURSOR2 on port 7753 RECURSOR SERVERS (I want to integrate these 2
> 
> > dnsdist to have 2 loadbalancers pointing this 2 recursors) RECURSOR1
> 
> > 93.47.xxx.34 (pdns-recursor & dnsdist) - Recursor listening on port
> 
> > 93.47.xxx.34:7753 - Dnsdist listening on port 93.47.xxx.34:53 
> > RECURSOR2
> 
> > 93.47.xxx.35 (pdns-recursor & dnsdist) - Recursor listening on port
> 
> > 93.47.xxx.35:7753 - Dnsdist listening on port 93.47.xxx.35:53
> 
> >
> 
> > It's possible? Or maybe I'm wrong understanding in which layer I 
> > must use
> 
> > dnsdist?
> 
> >
> 
> > As far as I understand, dnsdist must be one that receives requests 
> > and
> 
> > distributes them to the recursors, which send the request to the
> 
> > authoritative DNS server.
> 
> >
> 
> > Thanks a lot DNSfriends!!
> 
> >
> 
> > -----Original Message-----
> 
> > From: Aleš Rygl [mailto:ales at rygl.net]
> 
> > Sent: jueves, 14 de enero de 2016 16:41
> 
> > To: dnsdist at mailman.powerdns.com
> 
> > Cc: Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com>; 
> > Pieter
> 
> > Lexis <pieter.lexis at powerdns.com> Subject: Re: [dnsdist] Rate 
> > Limiting
> 
> > Against DDOS
> 
> >
> 
> > Hi Alejandro,
> 
> >
> 
> > I am using a tiny dnsdist setup (so far) together with keepalived on 
> > two
> 
> > boxes. There are following servers configured:
> 
> >
> 
> > newServer({address="93.153.116.35:53", name="rzt-entdns3", qps=1000,
> 
> > order=1, weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
> 
> > newServer({address="127.0.0.1:53", name="rzt-entdns2", qps=1000, 
> > order=1,
> 
> > weight=1, retries=5, tcpSendTimeout=30, tcpRecvTimeout=30})
> 
> > setServerPolicy(wrandom)
> 
> > controlSocket("127.0.0.1")
> 
> > addLocal("93.153.116.33:53")
> 
> >
> 
> > dnsdist listens on 93.153.116.33 (VIP) and distributes queries to 
> > 127.0.0.1
> 
> > (local recursor) and renote one at 93.153.116.35. Using keepalived
> 
> > collocated with an recursor can migrate VIP and play with the 
> > servers
> 
> > without an impact and have just two boxes. No rocket science, just works.
> 
> >
> 
> > Ales
> 
> >
> 
> > On Thursday 14 of January 2016 15:24:26 Alejandro Adroher Mellado wrote:
> 
> > > I am able to make work dnsdist and recursors only when they are 
> > > placed on
> 
> > > different servers, when I do that on the same server as I want 
> > > (can
> 
> > > someone
> 
> > > tell me if it's a good practice?), I cannot reach to LISTEN udp on 
> > > port 53
> 
> > > ....
> 
> > >
> 
> > > -----Original Message-----
> 
> > > From: dnsdist-bounces at mailman.powerdns.com
> 
> > > [mailto:dnsdist-bounces at mailman.powerdns.com] On Behalf Of Pieter 
> > > Lexis
> 
> > > Sent: jueves, 14 de enero de 2016 16:05
> 
> > > To: dnsdist at mailman.powerdns.com
> 
> > > Subject: Re: [dnsdist] Rate Limiting Against DDOS
> 
> > >
> 
> > > Hi Alejandro,
> 
> > >
> 
> > > On Thu, 14 Jan 2016 15:01:28 +0000
> 
> > >
> 
> > > Alejandro Adroher Mellado <alejandro.adroher at omniaccess.com> wrote:
> 
> > > > (on documentation is placed on /etc/dnsdist.conf but on my 
> > > > recent
> 
> > > > installed dnsdist it's placed on /etc/init/dnsdist.conf)
> 
> > >
> 
> > > The correct location (when using a package) is /etc/dnsdist/dnsdist.conf.
> 
> > > The /etc/init/dnsdist.conf is for the upstart init-system.
> 
> > >
> 
> > > --
> 
> > > Pieter Lexis
> 
> > > PowerDNS.COM BV -- https://www.powerdns.com
> 
> > >
> 
> > > _______________________________________________
> 
> > > dnsdist mailing list
> 
> > > dnsdist at mailman.powerdns.com
> 
> > > http://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
> > >
> 
> > > _______________________________________________
> 
> > > dnsdist mailing list
> 
> > > dnsdist at mailman.powerdns.com
> 
> > > http://mailman.powerdns.com/mailman/listinfo/dnsdist
> 
> 

> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist



More information about the dnsdist mailing list