[dnsdist] Suggestions for rules to block abusive traffic
Klaus Darilion
klaus.darilion at nic.at
Mon Jan 8 22:08:32 UTC 2024
> -----Ursprüngliche Nachricht-----
> Von: dnsdist <dnsdist-bounces at mailman.powerdns.com> Im Auftrag von
> Remi Gacogne via dnsdist
> Gesendet: Montag, 8. Januar 2024 17:51
> An: dnsdist at mailman.powerdns.com
> Betreff: Re: [dnsdist] Suggestions for rules to block abusive traffic
>
> Hi Dan,
>
> On 08/01/2024 17:28, Dan McCombs via dnsdist wrote:
> > In our case we are affected as we use Pdns + DB backend as backend.
> >
> > Yep, that's exactly our case as well - our legacy Pdns + mysql backends
> > don't handle this very well. Longer term we intend to move away from
> > that, but finding some improvements in the meantime for handling these
> > floods would be helpful. I'll let you know if we come up with anything
> > interesting!
>
> This is unfortunately a common issue indeed these days. It is possible
> to use dnsdist to detect and mitigate these attacks to a certain extent,
> using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule
> [1] or the FFI equivalent for better performance. It requires writing a
> bit of Lua code and some tuning on top of dnsdist, but all the building
> blocks are there already. We have implemented this for several customers
> and they are happy with the results.
Hi Remi!
How does this work in detail? Does your implementation block only the queries for <random>.example.com or also "normal" queries like www.example.com or example.com MX? Or do you explicitly allow common subdomains before blocking everything else?
Blocking all queries to the attacked domain prevents collateral damage, but causes a DoS to the attacked domain and makes the customer of the attacked domain unhappy.
Regards
Klaus
More information about the dnsdist
mailing list