[dnsdist] Dynamic Rule for abusive SERVFAIL queries from bots

me aharen aharen at outlook.com
Wed Dec 15 05:09:12 UTC 2021


Hello,

Thanks for the reply Remi. I think adding that to the dynamic rule would be a great feature for everyone having trouble with bot poisoning the cache :)

You mentioned that "adding the offending IP to a NetmaskGroup so that it can be used from existing rules" - can this be done now? If so, how can I do this?

The "setRCodeRatio" is good, but I would not rather block customers legit queries because he's infected.

If there is no better alternative, how can I go about capturing the offending IPs whose generating SERVFAILs to a list using the setRCodeRatio feature? So that I can use a Lua script to auto add those IP's to an addiction function towards a pool. doable?

With this approach, even a false positive would not be disruptive but rather in a controlled abuse pool.

Thanks
AH
________________________________
From: dnsdist <dnsdist-bounces at mailman.powerdns.com> on behalf of Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com>
Sent: Monday, December 13, 2021 8:43 AM
To: dnsdist at mailman.powerdns.com <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] Dynamic Rule for abusive SERVFAIL queries from bots

Hi,

On 11/12/2021 08:44, me aharen via dnsdist wrote:
> I am running  dnsdist 1.6.1 and I am unable to figure out the safest
> method of handling large amounts of SERVFAIL queries to random domains.
>
> Right now I manually check SERVFAIL responses via 'topResponses(50,
> dnsdist.SERVFAIL)', and pick a repeating domain from the list and then
> apply a LogAction to identify the offending IPs.
>
> After some log collection, I run through sort/unique and pick the IPs
> that are cache poisoning with SERVFAILs and simply apply rule
> 'addAction(<IPs>, PoolAction("abuse"))'.
>
> It a very manual cumbersome approcah. The best method I found was to use
> dynBlockRulesGroup() as follows:
>
>     local dbr = dynBlockRulesGroup()
>
>     dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail
>     rate", 60)
>
>
>     function maintenance()
>
>         dbr:apply()
>
>     end
>
> This works but this is a bit disruptive. I would like is to send the
> offending IP's to an abuse pool I have already set up.
>
> Any Idea how can use the dynBlock function to send the IP's to abuse
> Pool? or is there a better way to handle this?

I'm afraid dnsdist currently doesn't support routing to a pool as a
target of a dynamic block, that might be an interesting feature request.
Or perhaps adding the offending IP to a NetmaskGroup so that it can be
used from existing rules. Or both :)

One way to reduce the risk of false positives might be to rely on the
ratio of ServFail answers over all the answers returned to a given
client, instead of just using the raw numbers of ServFail answers, which
can be done with DynBlockRulesGroup:setRCodeRatio [1]. That way you can
block a client if it received more than N servfails AND more than Y %
percent of all responses for that client were servfails.

[1]:
https://dnsdist.org/reference/config.html?highlight=setrcode#DynBlockRulesGroup:setRCodeRatio

Hope that helps,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20211215/578aa0e7/attachment.htm>


More information about the dnsdist mailing list