[dnsdist] How to best handle DNS floods

me aharen aharen at outlook.com
Fri Apr 1 05:10:26 UTC 2022


Hi Mark,

That would work if it's a single known domain. The thing is domains are random and change periodically.

Currently, I have an RPZ configured to handle known domains.

The other way I could think of is to log all SERVFAIL to a file, and with some cli-wizardry inject a rule for that domain using a "dnsdist -e 'addAction( RegexRule( "<domain>" ), DropAction())'". Continuously collecting logs would be taxing on IO yes.

Regards
AH
________________________________
From: dnsdist <dnsdist-bounces at mailman.powerdns.com> on behalf of Mark Moseley via dnsdist <dnsdist at mailman.powerdns.com>
Sent: Thursday, March 31, 2022 6:56 PM
Cc: dnsdist at mailman.powerdns.com <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] How to best handle DNS floods

Would this do the trick:

 addAction( RegexRule( "\\.shopify\\.sh\\.cn$" ), DropAction() )

?

I'm assuming that you don't actually have any legit queries for that subdomain, which might not be the case (and thus disrupt users' legit queries).

On Thu, Mar 31, 2022 at 2:00 AM me aharen via dnsdist <dnsdist at mailman.powerdns.com<mailto:dnsdist at mailman.powerdns.com>> wrote:
Hello there,

I am in a situation where my dnsdist server is being flooding with random DNS quieies like seen below:

zvbi2raw.shopify.sh.cn<http://zvbi2raw.shopify.sh.cn>.
zuqiuzhibonow.shopify.sh.cn<http://zuqiuzhibonow.shopify.sh.cn>.
zypb-pjqr.shopify.sh.cn<http://zypb-pjqr.shopify.sh.cn>.
zuul-data.shopify.sh.cn<http://zuul-data.shopify.sh.cn>.
zwingscloud.shopify.sh.cn<http://zwingscloud.shopify.sh.cn>.
zuqiuzhoukan00.shopify.sh.cn<http://zuqiuzhoukan00.shopify.sh.cn>.
zysd.shopify.sh.cn<http://zysd.shopify.sh.cn>.
zzmtwvncx.shopify.sh.cn<http://zzmtwvncx.shopify.sh.cn>.
zvit.shopify.sh.cn<http://zvit.shopify.sh.cn>.

These floods generate large SERVFAIL responses and would like to minimize or best handle this.

On the cache config, I have enabled temporaryFailureTTL to 3600 and staleTTL to 3600.

And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), DropAction())" - although I am uncertain if this works as I think it would.

I do have another QPS rule, "addAction(MaxQPSIPRule(50), PoolAction("abuse"))", to redirect the flooders.

The only thing I can't do is apply any delay or drop action which would disrupt the user's legit queries.

Using Dynamic Rule is interesting, but it blocks queries once the "exceedServFails" exceeds, blocks legit queries for /32 - which is disruptive.

Any pointers?

Thanks,
AH
_______________________________________________
dnsdist mailing list
dnsdist at mailman.powerdns.com<mailto:dnsdist at mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220401/01455d7e/attachment-0001.htm>


More information about the dnsdist mailing list