[dnsdist] [EXT] AW: Suggestions for rules to block abusive traffic
Klaus Darilion
klaus.darilion at nic.at
Tue Jan 9 08:50:12 UTC 2024
Hi Remi!
Thanks for the details.
> > Blocking all queries to the attacked domain prevents collateral
> damage, but causes a DoS to the attacked domain and makes the customer
> of the attacked domain unhappy.
>
> I fully agree, and we are working on having smarter mitigations in
> dnsdist to only drops/truncate/route to a different pool queries that
> are very likely to be part of a PRSD/enumeration attack.
Do you already have ideas how to implement that? I have thought a lot about an algorithm to block only "bad" queries bad have not found a method yet.
For authoritative nameservers, meanwhile I think it would be better to just load the attacked zone completely into dnsdist or pdns-cache (or something similar to aggressive caching). Because I think just answering (mostly NXDOMAIN) may be faster then deciding if a query is bad or good.
Regards
Klaus
More information about the dnsdist
mailing list