[dnsdist] [EXT] Re: How to best handle DNS floods
me aharen
aharen at outlook.com
Wed Apr 6 09:02:02 UTC 2022
Hi Remi,
Thanks for the awesome example.
In your example, 80% of Servfail answers over the last 60s, with a minimum of 10 answers will trigger fallback on TCP.
Can you explain the "minimum of 10 answers during that time to reduce the risk of false-positive" part? Does it mean a minimum of 10 queries within that window, should be SERVFAIL?
The dynamic rule can also use DNSAction.Pool instead of DNSAction.Truncate. How do I make use of the Pool? This way I could redirect them to a separate server.
Thanks for your help,
AH
________________________________
From: dnsdist <dnsdist-bounces at mailman.powerdns.com> on behalf of Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com>
Sent: Monday, April 4, 2022 10:30 AM
To: dnsdist at mailman.powerdns.com <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] [EXT] Re: How to best handle DNS floods
Hi,
On 03/04/2022 10:42, me aharen wrote:
> Thanks for the input. Yes, we have legit customers participating in the
> PRSD floods.
Understood.
> Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you
> share a sample config of this rule?
I cannot find any example in the documentation, which I really should
fix, but we have a small example in our regression tests:
https://github.com/PowerDNS/pdns/blob/790f18878013eda17abb3fd5b0bc03cb87554c79/regression-tests.dnsdist/test_DynBlocks.py#L942
Basically to block for 120s any client that had say, more than 80% of
Servfail answers over the last 60s, with a minimum of 10 answers during
that time to reduce the risk of false positive, you would do:
local dbr = dynBlockRulesGroup()
dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio",
120, 10)
function maintenance()
dbr:apply()
end
If you wanted to tell these clients to try again over TCP instead:
local dbr = dynBlockRulesGroup()
dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio",
120, 10, DNSAction.Truncate)
function maintenance()
dbr:apply()
end
> Regarding the professional service, whom should I contact to get pricing
> details?
The easiest option is likely to go to
https://www.open-xchange.com/products/dnsdist/?hsLang=en and click
"Contact OX", and someone from our team should get back to you quickly.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220406/7e67b96a/attachment.htm>
More information about the dnsdist
mailing list