[dnsdist] Question about implementing dynBlockRulesGroup
CamZie
camzie at protonmail.com
Mon Dec 4 13:37:22 UTC 2023
Hello,
Thanks for the help!
I tried testing "MaxQPSIPRule" by setting it to "3" but the drop connection only occurs on every 4th request. We would like to be able to block all requests from the source IP after they reach a certain limit.
Configuration:
addAction(MaxQPSIPRule(3), DropAction())
Test results:
:~$ for a in {0..7}; do dig -t a <DOMAIN> @<DNSdist_IP> +short; done
192.168.30.11
192.168.30.11
192.168.30.11
;; communications error to <DNSdist_IP>#53: timed out
192.168.30.11
192.168.30.11
192.168.30.11
;; communications error to <DNSdist_IP>#53: timed out
192.168.30.11192.168.30.11
Am I missing something in the configuration? Do you maybe have an example or tips how it should look like?
Thanks in advance.
On Monday, October 30th, 2023 at 11:19 AM, Remi Gacogne via dnsdist dnsdist at mailman.powerdns.com wrote:
> Hi,
>
> On 30/10/2023 11:08, CamZie via dnsdist wrote:
>
>> We would like to use DNSdist to block traffics that exceeds a QPS limit
>> and we have configured the following as test:
>>
>> local dbr = dynBlockRulesGroup()
>>
>> dbr:setQueryRate(5, 1, "Exceeded query rate", 60)
>> dbr:setQTypeRate(DNSQType.ANY, 2, 1, "Exceeded ANY rate", 60)
>>
>> function maintenance()
>> dbr:apply()
>> end
>>
>> However, when we do 10 queries with the following command, all 10
>> requests still goes through successfully:
>>
>> for a in {0..10}; do dig -t a <DOMAIN> @<DNSdist_IP> +short; done
>>
>> From the console, we can see that the client has been detected and is
>> listed in the blocklist but still the 10 queries has gone through even
>> though we have limited it to 5.
>>
>>> showDynBlocks()
>>> What Seconds Blocks Warning Action
>>> Reason
>>> <DNSdist_IP>/32 56 0 false Drop
>>> Exceeded query rate
>
> This is expected, as 'maintenance' is called every second so it might
> take up to a second for the client to get blocked.
>
>> Is there a way we can immediately drop the connection after reaching max
>> 5 queries per second as defined in the config? This is the same case
>> with the ANY requests restriction.
>
> MaxQPSIPRule [1](https://dnsdist.org/rules-actions.html#MaxQPSIPRule)should do that. It is a bit more expensive than dynamic
> blocks when you have a lot of queries per second because it has to
> update a state for every query, but the "shards" parameter added in
> 1.8.0 should help a lot under heavy load.
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231204/8fbd933a/attachment.htm>
More information about the dnsdist
mailing list