[dnsdist] A few questions about rate-limiting

Thib D thibmac0241 at gmail.com
Thu May 14 13:45:18 UTC 2020 

Hi Remi,

Thanks for your answer,

Could you describe your use case a bit more so I understand why you
> would like to be able to group dynamic blocks? It would be easy to make
> it possible to aggregate IPs into fixed-size subnets, for example /64 or
> /48 for IPv6, but doing dynamic aggregation would be more complicated.
>

I found this issue. It sums up the need pretty well
https://github.com/PowerDNS/pdns/issues/4993

Instead of banning one particular IP, the goal would be to ban the /24
subnet this IP is in.
This is also why I have been trying to use QPS rules with these subnet
options.

While dnsdist seems to be pretty quick and efficient at creating a massive
amount of blocks in case of a ddos, blocking /24 subnets can sometimes be
the safest option.

You could however mimic that behaviour with custom Lua rules and actions.
>

I will update this thread if I can make a custom rule that allow a certain
percentage of queries to pass through the rule.

Best regards.
Thibaud



Le jeu. 14 mai 2020 à 14:04, Remi Gacogne via dnsdist <
dnsdist at mailman.powerdns.com> a écrit :

> Hi Thibaud,
>
> On 5/13/20 9:50 AM, Thib D via dnsdist wrote:
> > I am currently trying to set up a rate-limiting config and I have a few
> > questions about how Dynblocks and Packet policies rules work :
> >
> > When an IP is inserted in a DynBlockRule, an action is automatically
> > given to the query for some time.
> > Instead of dropping/truncating every query, I would like to have the
> > possibility to drop/truncate 50% for the queries coming from this
> > abusive IP. Is this currently possible to do so?
>
> I'm afraid there is currently no way to do that. At the moment only the
> following actions are supported for a dynamic block rule:
>
> DNSAction.Drop (the default), DNSAction.NoOp, DNSAction.NXDomain,
> DNSAction.Refused, DNSAction.Truncate and DNSAction.NoRecurse.
>
> > It looks like it's possible to come close to this behavior using
> > MaxQPSIPRule(10,24,48) and dropping the queries matching this rule.
> > Here, the abusive source would still be able to query at a 10 qps rate,
> > and the rest of the queries would be dropped.
>
> It's not exactly equivalent to what a dynamic block does but that would
> be closer to your expectations indeed. Please note that the second and
> third parameters that you are currently using would group by /24 for
> IPv4 and /48 for IPv6.
>
> > I would also like to have the same behaviour for queries by RCODE[1] and
> > QNAMEs[2]:
> > [1] : I would like to allow a source to have 10 NXDOmains/s, and drop
> > the rest of the NXDOmain queries from this source.
> > [2] : I would like to allow 10 queries per second for a single source on
> > a same domain, then drop the rest.
> >
> > From what I understand, DynBlocks are the only way to count responses
> > with a specific RCodes, and I'm wondering if there is a way to have
> > Dynblock not dropping/truncating every query (would LuaActions do the
> > trick ?), or setting up custom rules to have some sort of MaxQPSRule
> > limiting subnets abusing NXDOmains/SERVFAIL/REFUSED.
>
> Dynamic blocks have been designed to cut off the queries sent by an
> abusive client so at the moment there is no way to select which queries
> to block and which to keep once a dynamic block has been inserted.
> You could however mimic that behaviour with custom Lua rules and actions.
>
> > Last question : Will Dynblocks be able to deal with subnets instead of
> > IPs in the future?
>
> Could you describe your use case a bit more so I understand why you
> would like to be able to group dynamic blocks? It would be easy to make
> it possible to aggregate IPs into fixed-size subnets, for example /64 or
> /48 for IPv6, but doing dynamic aggregation would be more complicated.
>
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200514/e24eaee9/attachment.htm>

More information about the dnsdist mailing list