[dnsdist] dnsdist to limit requests per domain
Remi Gacogne
remi.gacogne at powerdns.com
Mon Nov 8 13:25:09 UTC 2021
Hi Stephan,
On 11/8/21 13:03, De Webmakers (Stephan) via dnsdist wrote:
> We recently experienced a DDoS on our nameservers.
>
> We are now looking to (help) prevent this in the future and since we are
> using powerDNS we came across dnsdist.
>
> We analyzed the DDoS requests and the requests came from different
> (probably spoofed) IP’s.
>
> For example x.y.z.1 and then x.y.x.2 etc.
>
> The requested domain was the same every time with a different subdomain.
>
> For example a.example.com and then b.example.com.
>
> Would it be possible for dnsdist to limit requests per domain instead of
> per IP?
>
> So if there are more then 10 requests for *.example.com in a second (or
> something) the requests for that entire domain (example.com) are dropped
> for 60 seconds (or more).
The building blocks to detect and mitigate PRSD attacks are there, from
the information in the ring buffers about recent queries and responses
to dynamic block rules, but that requires writing quite a bit of Lua to
tailor the behaviour to your needs. Our professional services have done
that work for several customers already.
It is also possible to do more simple rate-limiting per domain using a
SuffixMatchNodeRule [1] (which is much more efficient than a regular
expression) combined with a MaxQPSRule [2], for example.
[1]: https://dnsdist.org/rules-actions.html#SuffixMatchNodeRule
[2]: https://dnsdist.org/rules-actions.html#MaxQPSRule
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20211108/f46a9744/attachment.sig>
More information about the dnsdist
mailing list