[dnsdist] Dynamic Rule for abusive SERVFAIL queries from bots

Remi Gacogne remi.gacogne at powerdns.com
Mon Dec 13 08:43:46 UTC 2021 

Hi,

On 11/12/2021 08:44, me aharen via dnsdist wrote:
> I am running  dnsdist 1.6.1 and I am unable to figure out the safest 
> method of handling large amounts of SERVFAIL queries to random domains.
> 
> Right now I manually check SERVFAIL responses via 'topResponses(50, 
> dnsdist.SERVFAIL)', and pick a repeating domain from the list and then 
> apply a LogAction to identify the offending IPs.
> 
> After some log collection, I run through sort/unique and pick the IPs 
> that are cache poisoning with SERVFAILs and simply apply rule 
> 'addAction(<IPs>, PoolAction("abuse"))'.
> 
> It a very manual cumbersome approcah. The best method I found was to use 
> dynBlockRulesGroup() as follows:
> 
>     local dbr = dynBlockRulesGroup()
> 
>     dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail
>     rate", 60)
> 
> 
>     function maintenance()
> 
>         dbr:apply()
> 
>     end
> 
> This works but this is a bit disruptive. I would like is to send the 
> offending IP's to an abuse pool I have already set up.
> 
> Any Idea how can use the dynBlock function to send the IP's to abuse 
> Pool? or is there a better way to handle this?

I'm afraid dnsdist currently doesn't support routing to a pool as a 
target of a dynamic block, that might be an interesting feature request. 
Or perhaps adding the offending IP to a NetmaskGroup so that it can be 
used from existing rules. Or both :)

One way to reduce the risk of false positives might be to rely on the 
ratio of ServFail answers over all the answers returned to a given 
client, instead of just using the raw numbers of ServFail answers, which 
can be done with DynBlockRulesGroup:setRCodeRatio [1]. That way you can 
block a client if it received more than N servfails AND more than Y % 
percent of all responses for that client were servfails.

[1]: 
https://dnsdist.org/reference/config.html?highlight=setrcode#DynBlockRulesGroup:setRCodeRatio

Hope that helps,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20211213/beb36da6/attachment.sig>

More information about the dnsdist mailing list