[dnsdist] [EXT] Re: How to best handle DNS floods
Remi Gacogne
remi.gacogne at powerdns.com
Mon Apr 11 13:19:53 UTC 2022
Hi,
On 06/04/2022 11:02, me aharen wrote:
> Can you explain the "minimum of 10 answers during that time to reduce
> the risk of false-positive" part? Does it mean a minimum of 10 queries
> within that window, should be SERVFAIL?
It means that we need to have seen at least 10 answers, SERVFAIL or not,
for that client during the 60s window. The idea is that we do not want
to apply the ratio to a very small sample, because then there is a much
bigger risk of false positive as the sample is not representative at all.
> The dynamic rule can also use DNSAction.Pool instead
> of DNSAction.Truncate. How do I make use of the Pool? This way I could
> redirect them to a separate server.
Unless I'm mistaken I am afraid we do not support routing to a pool on a
dynamic block match, because I do not see a way to pass the destination
pool on a dynamic block rule. That sounds like a valid use-case, of
course, so please feel free to open a feature request on GitHub and I'll
try to implement that in the next version.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220411/e8863d2c/attachment.sig>
More information about the dnsdist
mailing list