[dnsdist] Dump topClients, topResponses, topQueries on dynamic block

[Lucas Rolff]

Hi guys,

Recently I started to move some servers behind dnsdist (due to an NX Domain attack), I knew from my old employer time, that dnsdist was capable of handling things like nx blocking etc using dynamic blocks

I’ve set up a dynamic block, that will block clients for 60 seconds, if they’re performing queries that result in a lot of nxdomain responses, and it works great.

However, I’d love to get more insight into what is being targeted when these blocks actually happen – dnsdist logs the offending IP to syslog when it gets blocked, so I know the client(s) doing the excessive amount of lookups.

Is there any relatively simple way in dnsdist to get things like topQueries/topResponses being performed at the time of the block, and maybe even things like the output of “grepq” (But I think this is harder to get, since you’d have to first get the topQueries and select what you want to query from the ring buffer).

I wonder if anyone already has done this before, or can give any pointers to how it could be implemented somewhat easily (I’m by no means a lua guy 😃)

I’m using dnsdist 1.6rc2, if that makes any difference.

Thanks in advance, and thanks for an awesome piece of software!

Best Regards,
Lucas Rolff


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210509/c6dff06f/attachment.htm>