[dnsdist] rule to limit the QPS for each zone in absolute terms
Jacob Bunk Nielsen
jbn at one.com
Mon Apr 3 18:26:52 UTC 2023
Hi
On 02/04/2023 09.35, Marco Mangione via dnsdist wrote:
> Have you ever had an area under flood attack? Well, it is identified
> (even automatically) and a specific rule is applied to the area under
> attack.
>
> Do you think it is possible to create a dynamic rule that does this
> automatically? That is, if a single zone exceeds X qps --> action.
The problem is that dnsdist usually doesn't know what is a zone and what
is not.
E.g. is www.example.com a zone? You would need to check for a SOA record
and delegation records to know for sure. That is likely more expensive
than just answering the query you got.
What about foo.bar.example.com? Or a.b.c.d.example.com? Those random
subdomain attacks can go quite deep in some cases.
I completely understand why you have this idea, but it's not entirely
trivial to implement in a sufficiently generic way.
Best regards,
Jacob
More information about the dnsdist
mailing list