[dnsdist] Reply processing: Drop actions for RCODE and proxy RRL

David opendak at shaw.ca
Wed May 11 14:13:41 UTC 2016


On 2016-05-10 6:17 PM, Terry Burton wrote:
> Hi,
>
> Does dnsdist provide any form of reply processing, or plan to?
>
> Occasionally I have found a reason to drop replies to spoofed
> addresses having RCODE=REFUSED. One benefit is that this would mean
> that I can avoid the outgoing traffic in response to queries for zones
> for which I am not authoritative without having to provide the
> authoritative list to dnsdist. (Maybe the general case is bad
> netizanship since it results in resolvers having to wait for timeout
> to detect lame delegations...)
>

How are you able to tell if the address is spoofed or not? In the 
general sense your auth server should always respond with something, 
otherwise you risk the chance (and it's quite easy) of someone being 
able to mark your name servers as "dead"

> Extending the reply processing idea further, would there be any
> benefit to dnsdist providing support for a kind of proxy RRL (perhaps
> per pool)? I'm considering a situation where you might have configured
> a large load bank to absorb abuse (elastic cloud, etc.) in which case
> each nameserver instance running RRL with its own scoreboard would
> contribute linearly to the volume of reply traffic that is within the
> rate limit or slips and floods the victim. dnsdist would provide a
> single world view allowing you to reduce the volume of reply traffic.
>
> Thanks for giving us such a unique and interesting project as dnsdist.
>
>
> All the best,
>
> Terry
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>



More information about the dnsdist mailing list