[dnsdist] How to best handle DNS floods

Mark Moseley moseleymark at gmail.com
Thu Mar 31 18:56:40 UTC 2022


Would this do the trick:

 addAction( RegexRule( "\\.shopify\\.sh\\.cn$" ), DropAction() )

?

I'm assuming that you don't actually have any legit queries for that
subdomain, which might not be the case (and thus disrupt users' legit
queries).

On Thu, Mar 31, 2022 at 2:00 AM me aharen via dnsdist <
dnsdist at mailman.powerdns.com> wrote:

> Hello there,
>
> I am in a situation where my dnsdist server is being flooding with random
> DNS quieies like seen below:
>
> zvbi2raw.shopify.sh.cn.
> zuqiuzhibonow.shopify.sh.cn.
> zypb-pjqr.shopify.sh.cn.
> zuul-data.shopify.sh.cn.
> zwingscloud.shopify.sh.cn.
> zuqiuzhoukan00.shopify.sh.cn.
> zysd.shopify.sh.cn.
> zzmtwvncx.shopify.sh.cn.
> zvit.shopify.sh.cn.
>
> These floods generate large SERVFAIL responses and would like to minimize
> or best handle this.
>
> On the cache config, I have enabled temporaryFailureTTL to 3600 and
> staleTTL to 3600.
>
> And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL),
> DropAction())" - although I am uncertain if this works as I think it would.
>
> I do have another QPS rule, "addAction(MaxQPSIPRule(50),
> PoolAction("abuse"))", to redirect the flooders.
>
> The only thing I can't do is apply any delay or drop action which would
> disrupt the user's legit queries.
>
> Using Dynamic Rule is interesting, but it blocks queries once the
> "exceedServFails" exceeds, blocks legit queries for /32 - which is
> disruptive.
>
> Any pointers?
>
> Thanks,
> AH
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20220331/7b60d145/attachment.htm>


More information about the dnsdist mailing list