[dnsdist] DOS configurations

Jahanzeb Arshad jahanzeb at nayatel.com
Wed Nov 29 04:21:55 UTC 2023

Hi Eric,

We are using following DOS protection configuration on dnsdist. We are 
using it for our DNS resolvers, but you can change it as per your 
requirement for authoritative servers.

This is a dynamic blocklist where we are protecting against very high 
QPS from specific clients, or high rate for specific query types (like 
ANY). You can also exclude certain IPs/networks from this blocklist.

-- Generate a warning if we detect a query rate above 100 qps for at 
least 20s.
-- If the query rate raises above 300 qps for 20s, we'll block the 
client for 60s.
-- If the NXD query rate increase above 20 for 20s block for 60s
-- If the ANY query rate increase above 20 for 20s block for 60s

local dbr = dynBlockRulesGroup()
dbr:setQueryRate(300, 20, "Exceeded query rate", 60, DNSAction.Drop, 100)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 20, "Exceeded NXD rate", 60)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 20, "Exceeded ServFail rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 20, 20, "Exceeded ANY rate", 60)
dbr:excludeRange({"", ""})

function maintenance()

*Jahanzeb Arshad*

On 28/11/23 21:15, Eric Merkel via dnsdist wrote:
> Hello all,
> I am a dnsdist noob here seeking some advice. I have set up and am 
> testing dnsdist in the following configuration.
> 4 geographically diverse dnsdist servers load balancing 4 
> authoritative backend servers for around 30,000 domains/zones.
> I understand how to set up an Abuse pool to handle clients that reach 
> a certain number of QPS. What I am looking for are some other example 
> configurations or best practices to help deal with DOS attacks that 
> other users have experienced in the past.
> My goal is to put some basic safeguards in place before we experience 
> an attack rather than scrambling to figure out something quickly while 
> an attack is occurring.
> Any advice or sample configurations etc would be much appreciated!
> Best regards,
> Eric
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231129/37176296/attachment.htm>

More information about the dnsdist mailing list