[dnsdist] Dynamic rule NXDomain
John Littlekate
diosko at hotmail.com
Thu Sep 23 15:10:29 UTC 2021
Hi,
I would like to consult dynamic rules behavior.
I run dnsdist 1.6.1 on Debian and I have folloving rules set:
#####
local dbr = dynBlockRulesGroup()
dbr:setRCodeRate(DNSQType.TXT, 25, 30, "Exceeded TXT rate", 60)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXDomain rate", 60)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 3, 10, "Exceeded ANY rate", 60)
dbr:setResponseByteRate(30000, 10, "Exceeded responses bps rate", 60)
dbr:setQueryRate(100, 10, "Exceeded query rate", 60, DNSAction.Drop, 80)
function maintenance()
dbr:apply()
end
#####
There is a client which sends continuously DNS traffic like this:
src.ip.of.cnt - source IP of a client
dst.ip.of.srv - destination IP of my dnsdist server
##### tcpdump #####
11:34:02.000372 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? imap at somedomain.com. (36)
11:34:02.000474 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100)
11:34:02.006126 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? imap at somedomain.com. (36)
11:34:02.006246 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100)
...cut...
11:34:02.989632 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? imap at somedomain.com. (36)
11:34:02.989716 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100)
11:34:02.992114 IP src.ip.of.cnt.49152 > dst.ip.of.srv.53: 0+ A? imap at somedomain.com. (36)
11:34:02.992172 IP dst.ip.of.srv.53 > src.ip.of.cnt.49152: 0 NXDomain 0/1/0 (100)
##### end of tcpdump #####
There is more than 120 qps and all the queries end with "NXDomain" response.
If I read my dynamic rules from top, I think, this client should be trapped by "DNSRCode.NXDOMAIN" rule,
which is more strict for this case, but the client is usually trapped by "QueryRate" rule.
Why it is so?
Regards
John Littlekate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210923/2c8069d2/attachment.htm>
More information about the dnsdist
mailing list