[dnsdist] How to best handle DNS floods

me aharen aharen at outlook.com
Sun Apr 3 08:42:50 UTC 2022


Remi,

Thanks for the input. Yes, we have legit customers participating in the PRSD floods.

Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you share a sample config of this rule?

Regarding the professional service, whom should I contact to get pricing details?

Thanks
AH
________________________________
From: dnsdist <dnsdist-bounces at mailman.powerdns.com> on behalf of Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com>
Sent: Friday, April 1, 2022 8:12 AM
To: dnsdist at mailman.powerdns.com <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] How to best handle DNS floods

Hi,

On 31/03/2022 10:59, me aharen via dnsdist wrote:
> And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL),
> DropAction())" - although I am uncertain if this works as I think it would.

This will not work as expected, as this rule is going to drop queries
with a response code set to ServFail, not responses. If you want to drop
responses instead, which I'm not sure is a very good idea, you need to do:

addResponseAction(RCodeRule(DNSRCode.SERVFAIL), DropResponseAction())

> I do have another QPS rule, "addAction(MaxQPSIPRule(50),
> PoolAction("abuse"))", to redirect the flooders.
>
> The only thing I can't do is apply any delay or drop action which would
> disrupt the user's legit queries.

So you have legitimate clients that take part in these DNS floods? Or
are you concerned about false positive?

> Using Dynamic Rule is interesting, but it blocks queries once the
> "exceedServFails" exceeds, blocks legit queries for /32 - which is
> disruptive.

You could use DynBlockRulesGroup:setRCodeRate() [1] to send a truncated
answer to blocked clients instead of dropping their queries, so regular
clients can retry over TCP. DynBlockRulesGroup:setRCodeRatio() [2] might
even be better as it allows you to only block if the ratio of ServFail
answers among all answers sent to a given client reaches a threshold.

If you are using a recent enough Linux kernel, it is even possible to do
that with XDP for much better performance, see [3].

Note that it is also possible to use dnsdist to detect and block such
PRSD attacks, with specific Lua scripts leveraging the ring buffers and
dynamic blocks. Guidance and support for writing these scripts can be
provided as part of our commercial solutions which include access to
professional services.

[1]:
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRate
[2]:
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRatio
[3]: https://github.com/PowerDNS/pdns/pull/10498

Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220403/ef6fc012/attachment.htm>


More information about the dnsdist mailing list