[dnsdist] Dynamic Rule for abusive SERVFAIL queries from bots

me aharen aharen at outlook.com
Sat Dec 11 07:44:47 UTC 2021


Hello Friends,

I am running  dnsdist 1.6.1 and I am unable to figure out the safest method of handling large amounts of SERVFAIL queries to random domains.

Right now I manually check SERVFAIL responses via 'topResponses(50, dnsdist.SERVFAIL)', and pick a repeating domain from the list and then apply a LogAction to identify the offending IPs.

After some log collection, I run through sort/unique and pick the IPs that are cache poisoning with SERVFAILs and simply apply rule 'addAction(<IPs>, PoolAction("abuse"))'.

It a very manual cumbersome approcah. The best method I found was to use dynBlockRulesGroup() as follows:

local dbr = dynBlockRulesGroup()
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)

function maintenance()
dbr:apply()
end

This works but this is a bit disruptive. I would like is to send the offending IP's to an abuse pool I have already set up.

Any Idea how can use the dynBlock function to send the IP's to abuse Pool? or is there a better way to handle this?

Thanks,
AH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20211211/3345f925/attachment-0001.htm>


More information about the dnsdist mailing list