[dnsdist] How to best handle DNS floods

Remi Gacogne remi.gacogne at powerdns.com
Fri Apr 1 08:12:08 UTC 2022 

Hi,

On 31/03/2022 10:59, me aharen via dnsdist wrote:
> And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), 
> DropAction())" - although I am uncertain if this works as I think it would.

This will not work as expected, as this rule is going to drop queries 
with a response code set to ServFail, not responses. If you want to drop 
responses instead, which I'm not sure is a very good idea, you need to do:

addResponseAction(RCodeRule(DNSRCode.SERVFAIL), DropResponseAction())

> I do have another QPS rule, "addAction(MaxQPSIPRule(50), 
> PoolAction("abuse"))", to redirect the flooders.
> 
> The only thing I can't do is apply any delay or drop action which would 
> disrupt the user's legit queries.

So you have legitimate clients that take part in these DNS floods? Or 
are you concerned about false positive?

> Using Dynamic Rule is interesting, but it blocks queries once the 
> "exceedServFails" exceeds, blocks legit queries for /32 - which is 
> disruptive.

You could use DynBlockRulesGroup:setRCodeRate() [1] to send a truncated 
answer to blocked clients instead of dropping their queries, so regular 
clients can retry over TCP. DynBlockRulesGroup:setRCodeRatio() [2] might 
even be better as it allows you to only block if the ratio of ServFail 
answers among all answers sent to a given client reaches a threshold.

If you are using a recent enough Linux kernel, it is even possible to do 
that with XDP for much better performance, see [3].

Note that it is also possible to use dnsdist to detect and block such 
PRSD attacks, with specific Lua scripts leveraging the ring buffers and 
dynamic blocks. Guidance and support for writing these scripts can be 
provided as part of our commercial solutions which include access to 
professional services.

[1]: 
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRate
[2]: 
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRatio
[3]: https://github.com/PowerDNS/pdns/pull/10498

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220401/f6e2c18b/attachment.sig>

More information about the dnsdist mailing list