[dnsdist] dnsdist to limit requests per domain

Remi Gacogne remi.gacogne at powerdns.com
Mon Nov 8 13:25:09 UTC 2021

Hi Stephan,

On 11/8/21 13:03, De Webmakers (Stephan) via dnsdist wrote:
> We recently experienced a DDoS on our nameservers.
> We are now looking to (help) prevent this in the future and since we are 
> using powerDNS we came across dnsdist.
> We analyzed the DDoS requests and the requests came from different 
> (probably spoofed) IP’s.
> For example x.y.z.1 and then x.y.x.2 etc.
> The requested domain was the same every time with a different subdomain.
> For example a.example.com and then b.example.com.
> Would it be possible for dnsdist to limit requests per domain instead of 
> per IP?
> So if there are more then 10 requests for *.example.com in a second (or 
> something) the requests for that entire domain (example.com) are dropped 
> for 60 seconds (or more).

The building blocks to detect and mitigate PRSD attacks are there, from 
the information in the ring buffers about recent queries and responses 
to dynamic block rules, but that requires writing quite a bit of Lua to 
tailor the behaviour to your needs. Our professional services have done 
that work for several customers already.

It is also possible to do more simple rate-limiting per domain using a 
SuffixMatchNodeRule [1] (which is much more efficient than a regular 
expression) combined with a MaxQPSRule [2], for example.

[1]: https://dnsdist.org/rules-actions.html#SuffixMatchNodeRule
[2]: https://dnsdist.org/rules-actions.html#MaxQPSRule

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20211108/f46a9744/attachment.sig>

More information about the dnsdist mailing list