[dnsdist] Suggestions for rules to block abusive traffic
Klaus Darilion
klaus.darilion at nic.at
Mon Jan 8 21:58:10 UTC 2024
Von: Dan McCombs <dmccombs at digitalocean.com>
Gesendet: Montag, 8. Januar 2024 17:28
An: Klaus Darilion <klaus.darilion at nic.at>
Cc: dnsdist at mailman.powerdns.com
Betreff: Re: [dnsdist] Suggestions for rules to block abusive traffic
Hi Klaus!
In our case we are affected as we use Pdns + DB backend as backend.
Yep, that's exactly our case as well - our legacy Pdns + mysql backends don't handle this very well. Longer term we intend to move away from that, but finding some improvements in the meantime for handling these floods would be helpful. I'll let you know if we come up with anything interesting!
If you use PDNS make sure to use at least version 4.5 and use https://doc.powerdns.com/authoritative/settings.html#zone-cache-refresh-interval and https://doc.powerdns.com/authoritative/settings.html#setting-consistent-backends=yes (this saves plenty of DB queries). Further, the DB server must have enough RAM to have the database in RAM (i.e. in the linux file buffers).
Further you might be interested in https://indico.dns-oarc.net/event/47/contributions/1008/ and https://indico.dns-oarc.net/event/47/contributions/1017/ if you plan to use another name server. Another very fresh option would be PDNS + lmdb backend and https://doc.powerdns.com/lightningstream/ for replication.
For dnsdist there are probably other guys with more know.
Regards
Klaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240108/6087a05c/attachment-0001.htm>
More information about the dnsdist
mailing list