[dnsdist] How to best handle DNS floods
me aharen
aharen at outlook.com
Thu Mar 31 08:59:59 UTC 2022
Hello there,
I am in a situation where my dnsdist server is being flooding with random DNS quieies like seen below:
zvbi2raw.shopify.sh.cn.
zuqiuzhibonow.shopify.sh.cn.
zypb-pjqr.shopify.sh.cn.
zuul-data.shopify.sh.cn.
zwingscloud.shopify.sh.cn.
zuqiuzhoukan00.shopify.sh.cn.
zysd.shopify.sh.cn.
zzmtwvncx.shopify.sh.cn.
zvit.shopify.sh.cn.
These floods generate large SERVFAIL responses and would like to minimize or best handle this.
On the cache config, I have enabled temporaryFailureTTL to 3600 and staleTTL to 3600.
And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), DropAction())" - although I am uncertain if this works as I think it would.
I do have another QPS rule, "addAction(MaxQPSIPRule(50), PoolAction("abuse"))", to redirect the flooders.
The only thing I can't do is apply any delay or drop action which would disrupt the user's legit queries.
Using Dynamic Rule is interesting, but it blocks queries once the "exceedServFails" exceeds, blocks legit queries for /32 - which is disruptive.
Any pointers?
Thanks,
AH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220331/22350cc1/attachment.htm>
More information about the dnsdist
mailing list