[dnsdist] How to apply dynamic rules with pools?

Willis, Michael Michael.Willis at cinbell.com
Wed Feb 23 15:49:21 UTC 2022 

Ok, so here we go. I'm new to mailing lists, and have only used dnsdist for the most basic functions in the past.
I am now trying to use it as an anti-ddos measure in authoritative DNS for an ISP.

I can't seem to figure out how to make the dynmic rules apply. I was thinking I require some sort of add action or a pool definition somewhere.

I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so it will trigger and stay triggered.
This is so I can verify the correct rule is applying.

It would be very helpful to recieve some insight as to why the maintenance function/dynrules don't seem to apply?

Thanks!
-Mike Willis


###########################
Red Hat Enterprise Linux release 8.5 (Ootpa)
Linux dnsdist01 4.18.0-348.12.2.el8_5.x86_64 #1 SMP Mon Jan 17 07:06:06 EST 2022 x86_64 x86_64 x86_64 GNU/Linux
4x cores
8GB memory
virtual machine
2 nics (DMZ192/Public224)
###########################
-- DNSdist ns1
-- Mike Willis 2-17-2022

----Set encrypton key for console-----------------------
setKey("redacted")
controlSocket('127.0.0.1:5199')

----- Local binds for DNS and ACLs --------------------
--ns1 public
setLocal("10.50.50.41:53")

-------------------------------------------------------
--setACL({'0.0.0.0/0', '::/0'})

-----------------------------------------------------
---Performance Tuning -------------------------------
--setRingBuffersSize(num[, numberOfShards])
setRingBuffersSize(500000,10)

----Dynamic blocking rules to mitigate abuse -----
--I'm not sure where to invoke, or apply these to a pool

local dbr = dynBlockRulesGroup()
dbr:setQueryRate(100, 10, "Exceeded query rate", 60)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600)
dbr:setResponseByteRate(20000, 10, "Exceeded resp BW rate", 60)

 function maintenance()
  dbr:apply()
 end

--NOTE: Rules are processed in order, and some rules stop processing of additional rules
--IE: Some rules should be the last to run for a given flow.


----------------- Logging ----------------------
---This should be turned off in prod ---
--LogAction([filename[, binary[, append[, buffered[, verboseOnly[, includeTimestamp]]]]]])
--Note will not work if buffering is true
addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false, false, true))
-------------------------------------------------

----- Pool Availability rules and failover ------
--Send traffic to ns1 if it is up
addAction(PoolAvailableRule("ns1"), PoolAction("ns1"))
--Send traffic to ns2 if ns1 is down
addAction(AllRule(), PoolAction("ns2"))
------------------------------------------------


----------- Load balanced servers and pool definitions ---------------
--ns1
--intentionally broken for testing failover

newServer({address="127.0.0.2", source="ens224", pool="ns1"})

--ns2 will be across a wan
newServer({address="9.9.9.9", source="ens224", pool="ns2"})


---------------------------------------------------------------------

############################################



dig @10.50.50.41 -tany dnsdist.org

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> @10.50.50.41 -tany dnsdist.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10952
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnsdist.org.                   IN      ANY

;; ANSWER SECTION:
dnsdist.org.            43193   IN      NS      pdns-public-ns1.powerdns.com.
dnsdist.org.            3593    IN      SOA     pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020080301 10800 3600 604800 10800
dnsdist.org.            43193   IN      NS      pdns-public-ns2.powerdns.com.
dnsdist.org.            43193   IN      A       188.166.104.92
dnsdist.org.            43193   IN      AAAA    2a03:b0c0:2:d0::4ab:8001

;; Query time: 48 msec
;; SERVER: 10.50.50.41#53(10.50.50.41)
;; WHEN: Wed Feb 23 10:38:03 EST 2022
;; MSG SIZE  rcvd: 205

[root at dnsdist01 dnsdist]# dnsdist -c
> showDynBlocks()
What                      Seconds   Blocks Warning    Action               Reason
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220223/6030ef50/attachment.htm>

More information about the dnsdist mailing list