[dnsdist] Dynamic Rule for abusive SERVFAIL queries from bots
me aharen
aharen at outlook.com
Sat Dec 11 07:44:47 UTC 2021
Hello Friends,
I am running dnsdist 1.6.1 and I am unable to figure out the safest method of handling large amounts of SERVFAIL queries to random domains.
Right now I manually check SERVFAIL responses via 'topResponses(50, dnsdist.SERVFAIL)', and pick a repeating domain from the list and then apply a LogAction to identify the offending IPs.
After some log collection, I run through sort/unique and pick the IPs that are cache poisoning with SERVFAILs and simply apply rule 'addAction(<IPs>, PoolAction("abuse"))'.
It a very manual cumbersome approcah. The best method I found was to use dynBlockRulesGroup() as follows:
local dbr = dynBlockRulesGroup()
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
function maintenance()
dbr:apply()
end
This works but this is a bit disruptive. I would like is to send the offending IP's to an abuse pool I have already set up.
Any Idea how can use the dynBlock function to send the IP's to abuse Pool? or is there a better way to handle this?
Thanks,
AH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20211211/3345f925/attachment-0001.htm>
More information about the dnsdist
mailing list