[dnsdist] [EXT] Re: How to best handle DNS floods
Remi Gacogne
remi.gacogne at powerdns.com
Mon Apr 4 10:30:02 UTC 2022
Hi,
On 03/04/2022 10:42, me aharen wrote:
> Thanks for the input. Yes, we have legit customers participating in the
> PRSD floods.
Understood.
> Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you
> share a sample config of this rule?
I cannot find any example in the documentation, which I really should
fix, but we have a small example in our regression tests:
https://github.com/PowerDNS/pdns/blob/790f18878013eda17abb3fd5b0bc03cb87554c79/regression-tests.dnsdist/test_DynBlocks.py#L942
Basically to block for 120s any client that had say, more than 80% of
Servfail answers over the last 60s, with a minimum of 10 answers during
that time to reduce the risk of false positive, you would do:
local dbr = dynBlockRulesGroup()
dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio",
120, 10)
function maintenance()
dbr:apply()
end
If you wanted to tell these clients to try again over TCP instead:
local dbr = dynBlockRulesGroup()
dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio",
120, 10, DNSAction.Truncate)
function maintenance()
dbr:apply()
end
> Regarding the professional service, whom should I contact to get pricing
> details?
The easiest option is likely to go to
https://www.open-xchange.com/products/dnsdist/?hsLang=en and click
"Contact OX", and someone from our team should get back to you quickly.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220404/6c1a3234/attachment.sig>
More information about the dnsdist
mailing list