[dnsdist] Best practice to handle massive DNS-JSON requests on DoH frontend

Remi Gacogne remi.gacogne at powerdns.com
Mon Apr 11 12:49:56 UTC 2022


Hi Pascal,

On 10/04/2022 19:15, Pascal K via dnsdist wrote:
> We see massive DNS-JSON style requests on our DoH resolver which are 
> correctly answered with HTTP 400 Bad Request [0] by dnsdist.
> 
> Here an example: GET /dns-query?name=asia1.ethermine.org
> 
> Every request comes in a new TCP connection forcing a new TLS handshake. 
> So every connection a client sends ~1.6kB and our server responds with 
> ~6.1kB generating a lot of outbound traffic.
> 
> The IP sources are from all over the world and change after a few 
> connection and seconds. Therefore, blocking the subnets of the IP origin 
> does not work.
> 
> In my understanding the dnsdist rule engines does not help here because 
> the HTTP listener already responses the 400 Bad Request.

Indeed, the HTTP 400 error is generated before the query reaches the DNS 
stack, so it does not make it to the rules engine.

> We use dnsdist 1.4.0 on Ubuntu 20.04.
> 
> Any idea how to handle these DNS-JSON quereis to reduce our outbound 
> network load?

I would need to see the actual traffic to be sure but our 400 errors are 
very small so I'm guessing most of the outbound traffic comes from the 
TLS certificate chain, meaning it's going to be complicated to do 
better, unless you can find something in the initial TCP packets or TLS 
handshake that can be used to identify that traffic.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220411/3edd0013/attachment.sig>


More information about the dnsdist mailing list