[dnsdist] dnsdist to limit requests per domain
pim at lemonbit.com
Mon Nov 8 12:23:22 UTC 2021
> On 8 Nov 2021, at 13:03, De Webmakers (Stephan) via dnsdist <dnsdist at mailman.powerdns.com> wrote:
> We recently experienced a DDoS on our nameservers.
> We are now looking to (help) prevent this in the future and since we are using powerDNS we came across dnsdist.
> We analyzed the DDoS requests and the requests came from different (probably spoofed) IP’s.
> For example x.y.z.1 and then x.y.x.2 etc.
> The requested domain was the same every time with a different subdomain.
> For example a.example.com and then b.example.com.
> Would it be possible for dnsdist to limit requests per domain instead of per IP?
> So if there are more then 10 requests for *.example.com in a second (or something) the requests for that entire domain (example.com) are dropped for 60 seconds (or more).
Using dnsdist you should be able to limit requests for domains and/or IP addresses. I am not sure if this is very productive, but it should be entirely possible. Hints: https://dnsdist.org/rules-actions.html#RegexRule and https://dnsdist.org/rules-actions.html#MaxQPSIPRule
On PowerDNS Authoritative Server we have found that https://doc.powerdns.com/authoritative/settings.html#overload-queue-length works pretty good against most random subdomain attacks, but YMMV. Also check if you don't have backend issues such as cache contention which can become a bottleneck under high load.
More information about the dnsdist