[dnsdist] Best practice to handle massive DNS-JSON requests on DoH frontend
web+dnsdist at addere.ch
web+dnsdist at addere.ch
Sun Apr 10 17:15:19 UTC 2022
Hi,
We see massive DNS-JSON style requests on our DoH resolver which are
correctly answered with HTTP 400 Bad Request [0] by dnsdist.
Here an example: GET /dns-query?name=asia1.ethermine.org
Every request comes in a new TCP connection forcing a new TLS handshake.
So every connection a client sends ~1.6kB and our server responds with
~6.1kB generating a lot of outbound traffic.
The IP sources are from all over the world and change after a few
connection and seconds. Therefore, blocking the subnets of the IP origin
does not work.
In my understanding the dnsdist rule engines does not help here because
the HTTP listener already responses the 400 Bad Request.
We use dnsdist 1.4.0 on Ubuntu 20.04.
Any idea how to handle these DNS-JSON quereis to reduce our outbound
network load?
Thanks Pascal
[0] showDOHResponseCodes()
- HTTP/1:
# Address 200 400 403 500 502 Others
0 185.95.218.42:443 17997 1683898 0 3 91 0
1 [2a05:fc84::42]:443 1482 34396 0 0 3 0
2 185.95.218.43:443 0 0 0 0 0 0
3 [2a05:fc84::43]:443 0 0 0 0 0 0
- HTTP/2:
# Address 200 400 403 500 502 Others
0 185.95.218.42:443 436430 2790 0 3409 385 0
1 [2a05:fc84::42]:443 106512 122 0 0 35 0
2 185.95.218.43:443 0 0 0 0 0 0
3 [2a05:fc84::43]:443 0 0 0 0 0 0
More information about the dnsdist
mailing list