[dnsdist] [EXT] AW: Suggestions for rules to block abusive traffic
Remi Gacogne
remi.gacogne at powerdns.com
Tue Jan 9 09:05:53 UTC 2024
On 09/01/2024 09:50, Klaus Darilion wrote:
>> I fully agree, and we are working on having smarter mitigations in
>> dnsdist to only drops/truncate/route to a different pool queries that
>> are very likely to be part of a PRSD/enumeration attack.
>
> Do you already have ideas how to implement that? I have thought a lot about an algorithm to block only "bad" queries bad have not found a method yet.
We have been looking into several heuristics, like the entropy of the
queries, and we are getting good results.
> For authoritative nameservers, meanwhile I think it would be better to just load the attacked zone completely into dnsdist or pdns-cache (or something similar to aggressive caching). Because I think just answering (mostly NXDOMAIN) may be faster then deciding if a query is bad or good.
We have already deployed something like that for zones that are not
DNSSEC-signed: dnsdist learns the content of the zone via XFR, send
NXDOMAIN for names that do not exist and pass the remaining ones to the
backend. I know some people have done it in a different way and load
attacked zones into a LMDB PowerDNS, telling dnsdist to route queries
for these zones to the LMDB PowerDNS server. Of course most of the
difficulty lies in automated this, which is very specific to every setup.
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240109/11e468c9/attachment.sig>
More information about the dnsdist
mailing list