[dnsdist] dnsdist Digest, Vol 65, Issue 11
Jacob Bunk Nielsen
jbn at one.com
Wed Feb 3 08:11:42 UTC 2021
Hi Sami
On 30/01/2021 19.11, SAMI RAHAL via dnsdist wrote:
> thank you Jacob for your reply ,
> I want to know the normal response from a dns resolver server in general (the value in ms)
> here is the setup
As Stephane pointed out that very much depends on a lot of variables
that are hard to predict. Are you asking because you are dissatisfied
with the performance of your setup?
> -- listen for console connection with the given secret key
> controlSocket("0.0.0.0")
> addLocal('@IP-serverdnsdist:53',{doTCP=true, reusePort=true, tcpFastOpenSize=0})
> setACL('@IP/24')
> -- fix up possibly badly truncated answers from pdns 2.9.22
> truncateTC(true)
>
> warnlog(string.format("Script starting %s", "up!"))
> newServer({name="unbound", address="@IP", qps=1000, order=1})
> newServer({name="pdns-recursor", address="@IP", order=2})
> --newServer({address="8.8.8.8", pool="abuse"})
>
>
> -- set the TC-bit (truncate) on ANY queries received over UDP, forcing a retry over TCP.
> addAction(AndRule({QTypeRule(dnsdist.ANY), TCPRule(false)}), TCAction())
This (dnsdist.ANY) indicates that you are running a fairly old version
of dnsdist (prior to 1.4, I think). There are performance improvements
done in every release. Consider upgrading.
> -- DDos protection, block for 5 minutes. https://dnsdist.org/guides/dynblocks.html
> local dbr = dynBlockRulesGroup()
> dbr:setQueryRate(30, 10, "Exceeded query rate", 3000)
> dbr:setRCodeRate(dnsdist.NXDOMAIN, 20, 10, "Exceeded NXD rate", 3000)
> dbr:setRCodeRate(dnsdist.SERVFAIL, 20, 10, "Exceeded ServFail rate", 300)
> dbr:setQTypeRate(dnsdist.ANY, 5, 10, "Exceeded ANY rate", 300)
> dbr:setResponseByteRate(10000, 10, "Exceeded resp BW rate", 300)
> -- send the queries for selected domain suffixes to the server
> -- in the 'abuse' pool
> addAction({"ezdns.it.", "xxx."}, PoolAction("abuse"))
> -- send the queries from a selected subnet to the
> -- abuse pool
> addAction("192.168.1.0/24", PoolAction("abuse"))
> -- send only queries from the selected subnet to
> -- the luarule function
> addLuaAction("192.168.1.0/24", luarule)
>
> -- drop queries exceeding 5 qps, grouped by /24 for IPv4
> -- and /64 for IPv6
> addAction(MaxQPSIPRule(5, 24, 64), DropAction())
5 queries per second is not a lot. Loading some websites will generate
much more than 5 queries within a very short time. Consider increasing
this significantly. I'd be surprised if you don't see this rule being
hit frequently. Check it with 'showRules()' in the dnsdist console.
Also if you have multiple clients in your /24 network this is very low.
> -- move the last rule to the first position
> topRule()
Why not just add it to the top of your config?
> -- drop queries for the following suffixes:
> addAction("powerdns.org.", DropAction())
Why?
Best regards,
Jacob
More information about the dnsdist
mailing list