[dnsdist] How to apply dynamic rules with pools?

Willis, Michael Michael.Willis at cinbell.com
Wed Feb 23 16:20:03 UTC 2022 

Hello Remi,

Thank you for the quick response!
I had really just set the "ANY" trigger really low so that it would invoke, and I could verify that the rules were applying.
If I update it with the dbr rule you provided, it does indeed create a block after the first request. (yay).

I changed the to rule to:
dbr:setQTypeRate(DNSQType.ANY, 1, 10, "Exceeded ANY rate", 600)
After testing It looks like the entire 10 seconds needed to elapse before the rule is evaluated.
I was not expecting this logic, and that was tripping me up. I was thinking that the rules were not applying at all.
I definitely want to enable sensible rules for an auth server with 2500 zones and an average of 14k'ish QPS.

Thank you very much for your time!

-Mike Willis
________________________________
From: dnsdist <dnsdist-bounces at mailman.powerdns.com> on behalf of Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com>
Sent: Wednesday, February 23, 2022 10:59 AM
To: dnsdist at mailman.powerdns.com <dnsdist at mailman.powerdns.com>
Subject: Re: [dnsdist] How to apply dynamic rules with pools?

Hi Mike,

On 23/02/2022 16:49, Willis, Michael via dnsdist wrote:
> I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so
> it will trigger and stay triggered.
> This is so I can verify the correct rule is applying.

> dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600)

This rule is saying "block, for 600 seconds,  clients that have been
sending more than one ANY query per second over the last 100 seconds",
so one query is not going to be enough to trigger the block.

You could try this one instead:

dbr:setQTypeRate(DNSQType.ANY, 0, 1, "Exceeded ANY rate", 600)

This will block any client that has been sending more than 0 ANY query
per second over the last second. In my test this results in getting
blocked right away after sending your first ANY query. I'm not sure I
would recommend such a drastic rule, but that's a different matter :)

Hope that helps,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220223/609a274b/attachment-0001.htm>

More information about the dnsdist mailing list