[dnsdist] Suggestions for rules to block abusive traffic
Remi Gacogne
remi.gacogne at powerdns.com
Mon Jan 8 16:50:32 UTC 2024
Hi Dan,
On 08/01/2024 17:28, Dan McCombs via dnsdist wrote:
> In our case we are affected as we use Pdns + DB backend as backend.
>
> Yep, that's exactly our case as well - our legacy Pdns + mysql backends
> don't handle this very well. Longer term we intend to move away from
> that, but finding some improvements in the meantime for handling these
> floods would be helpful. I'll let you know if we come up with anything
> interesting!
This is unfortunately a common issue indeed these days. It is possible
to use dnsdist to detect and mitigate these attacks to a certain extent,
using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule
[1] or the FFI equivalent for better performance. It requires writing a
bit of Lua code and some tuning on top of dnsdist, but all the building
blocks are there already. We have implemented this for several customers
and they are happy with the results.
Best regards,
[1]:
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setSuffixMatchRule
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240108/7079878c/attachment.sig>
More information about the dnsdist
mailing list