[dnsdist] Best combination of addLocal/newServer amount and visibility of rules on web server?
Mart Pirita
mart at e-positive.ee
Sat Jul 27 11:09:42 UTC 2024
Hi,
Our 2 x public authoritative DNS servers (vmware, 8 CPU, 16G RAM, BIND 9.18.28, about 700 zones) are constantly getting DDOS attacks. Despite allkind (increasing buffers, disabling firewall port 53 in/out tracking etc) BIND still gives during attack about 50K udp errors, even CPU and RAM usage are normal, so I'm currently testing dnsdist 1.9.6.
I've browsed the last 2 years of mailing list archives and read the official docs, but still haven't figured out the best addLocal/newServer combination.
So few questions:
1) What amount of addLocal/newServer I should use? First I tried 8 x addLocal/newServer for ipv4 and 8 x addLocal/newServer for ipv6, but CPU usage was very high, when using instead of using 2 x addLocal/newServer for ipv4 and 2 x addLocal/newServer for ipv6, then CPU usage is much lower, however the qps was same in both cases?
2) I'm using 3 in a row MaxQPSIPRules, but the first one is listed (as the last rule) on the web server:
5 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP) tc=1 answer
How can I see also the others there, as I’d like view there their matches also on the web server?
Rules are there:
showRules()
5 814105 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP) tc=1 answer
6 254988 (IP (/32, /64) match for QPS over 10 burst 10) && (TCP) delay by 10 ms
7 45472 (IP (/32, /64) match for QPS over 20 burst 20) && (TCP) drop
And getting hits:
> topRules()
# Name Matches Rule Action
0 805888 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP) tc=1 answer
1 251769 (IP (/32, /64) match for QPS over 10 burst 10) && (TCP) delay by 10 ms
2 45387 (IP (/32, /64) match for QPS over 20 burst 20) && (TCP) drop
3) Can you give any tuning/configuration hints based my current config:
setACL({'0.0.0.0/0', '::/0'})
addLocal('127.0.0.1:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('x.x.x.x:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('[::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('[x::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
setSecurityPollSuffix("")
pc = newPacketCache(10000000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
setRingBuffersSize(1000000, 100)
setMaxTCPClientThreads(20)
setMaxUDPOutstanding(65535)
local secondaryServersACL = newNMG()
secondaryServersACL:addMask("x.x.x.x")
secondaryServersACL:addMask("x.x.x.x")
addAction(AndRule({QTypeRule(DNSQType.AXFR), NetmaskGroupRule(secondaryServersACL)}), AllowAction())
addAction(AndRule({QTypeRule(DNSQType.IXFR), NetmaskGroupRule(secondaryServersACL)}), AllowAction())
addAction(NetmaskGroupRule(secondaryServersACL), AllowAction())
addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))
addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.SERVFAIL))
addAction(AndRule{MaxQPSIPRule(5), TCPRule(false)}, TCAction())
addAction(AndRule{MaxQPSIPRule(10), TCPRule(true)}, DelayAction(10))
addAction(AndRule{MaxQPSIPRule(20), TCPRule(true)}, DropAction())
controlSocket("127.0.0.1")
setKey('xxxx')
webserver("x.x.x.x:8083")
setWebserverConfig({password="xxxx"})
--
Mart
More information about the dnsdist
mailing list