[dnsdist] A few questions about rate-limiting

Remi Gacogne remi.gacogne at powerdns.com
Thu May 14 12:04:47 UTC 2020 

Hi Thibaud,

On 5/13/20 9:50 AM, Thib D via dnsdist wrote:
> I am currently trying to set up a rate-limiting config and I have a few
> questions about how Dynblocks and Packet policies rules work :
> 
> When an IP is inserted in a DynBlockRule, an action is automatically
> given to the query for some time.
> Instead of dropping/truncating every query, I would like to have the
> possibility to drop/truncate 50% for the queries coming from this
> abusive IP. Is this currently possible to do so?

I'm afraid there is currently no way to do that. At the moment only the
following actions are supported for a dynamic block rule:

DNSAction.Drop (the default), DNSAction.NoOp, DNSAction.NXDomain,
DNSAction.Refused, DNSAction.Truncate and DNSAction.NoRecurse.

> It looks like it's possible to come close to this behavior using
> MaxQPSIPRule(10,24,48) and dropping the queries matching this rule.
> Here, the abusive source would still be able to query at a 10 qps rate,
> and the rest of the queries would be dropped.

It's not exactly equivalent to what a dynamic block does but that would
be closer to your expectations indeed. Please note that the second and
third parameters that you are currently using would group by /24 for
IPv4 and /48 for IPv6.

> I would also like to have the same behaviour for queries by RCODE[1] and
> QNAMEs[2]:
> [1] : I would like to allow a source to have 10 NXDOmains/s, and drop
> the rest of the NXDOmain queries from this source.
> [2] : I would like to allow 10 queries per second for a single source on
> a same domain, then drop the rest.
> 
> From what I understand, DynBlocks are the only way to count responses
> with a specific RCodes, and I'm wondering if there is a way to have
> Dynblock not dropping/truncating every query (would LuaActions do the
> trick ?), or setting up custom rules to have some sort of MaxQPSRule
> limiting subnets abusing NXDOmains/SERVFAIL/REFUSED.

Dynamic blocks have been designed to cut off the queries sent by an
abusive client so at the moment there is no way to select which queries
to block and which to keep once a dynamic block has been inserted.
You could however mimic that behaviour with custom Lua rules and actions.

> Last question : Will Dynblocks be able to deal with subnets instead of
> IPs in the future?

Could you describe your use case a bit more so I understand why you
would like to be able to group dynamic blocks? It would be easy to make
it possible to aggregate IPs into fixed-size subnets, for example /64 or
/48 for IPv6, but doing dynamic aggregation would be more complicated.


Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200514/f4e2f625/attachment.sig>

More information about the dnsdist mailing list