[dnsdist] Best combination of addLocal/newServer amount and visibility of rules on web server?

Sat Jul 27 11:09:42 UTC 2024

Hi,

Our 2 x public authoritative DNS servers (vmware, 8 CPU, 16G RAM, BIND 9.18.28, about 700 zones) are constantly getting DDOS attacks. Despite allkind (increasing buffers, disabling firewall port 53 in/out tracking etc) BIND still gives during attack about 50K udp errors, even CPU and RAM usage are normal, so I'm currently testing dnsdist 1.9.6. 

I've browsed the last 2 years of mailing list archives and read the official docs, but still haven't figured out the best addLocal/newServer combination. 

So few questions:

1) What amount of  addLocal/newServer I should use? First I tried 8 x addLocal/newServer for ipv4 and 8 x addLocal/newServer for ipv6, but CPU usage was very high, when using instead of using 2 x addLocal/newServer for ipv4 and 2 x addLocal/newServer for ipv6, then CPU usage is much lower, however the qps was same in both cases?

2) I'm using 3 in a row MaxQPSIPRules, but the first one is listed (as the last rule) on the web server:
5        (IP (/32, /64) match for QPS over 5 burst 5) && (UDP)    tc=1 answer

How can I see also the others there, as I’d like view there their matches also on the web server?

Rules are there:

showRules()
5                                     814105 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP)    tc=1 answer
6                                     254988 (IP (/32, /64) match for QPS over 10 burst 10) && (TCP)  delay by 10 ms
7                                      45472 (IP (/32, /64) match for QPS over 20 burst 20) && (TCP)  drop

And getting hits:
> topRules()
#   Name                             Matches Rule                                                     Action
0                                     805888 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP)    tc=1 answer
1                                     251769 (IP (/32, /64) match for QPS over 10 burst 10) && (TCP)  delay by 10 ms
2                                      45387 (IP (/32, /64) match for QPS over 20 burst 20) && (TCP)  drop

3) Can you give any tuning/configuration hints based my current config:

setACL({'0.0.0.0/0', '::/0'})
addLocal('127.0.0.1:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('x.x.x.x:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('[::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('[x::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
setSecurityPollSuffix("")
pc = newPacketCache(10000000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
setRingBuffersSize(1000000, 100)
setMaxTCPClientThreads(20)
setMaxUDPOutstanding(65535)
local secondaryServersACL = newNMG()
secondaryServersACL:addMask("x.x.x.x")
secondaryServersACL:addMask("x.x.x.x")
addAction(AndRule({QTypeRule(DNSQType.AXFR), NetmaskGroupRule(secondaryServersACL)}), AllowAction())
addAction(AndRule({QTypeRule(DNSQType.IXFR), NetmaskGroupRule(secondaryServersACL)}), AllowAction())
addAction(NetmaskGroupRule(secondaryServersACL), AllowAction())
addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))
addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.SERVFAIL))
addAction(AndRule{MaxQPSIPRule(5), TCPRule(false)}, TCAction())
addAction(AndRule{MaxQPSIPRule(10), TCPRule(true)}, DelayAction(10))
addAction(AndRule{MaxQPSIPRule(20), TCPRule(true)}, DropAction())
controlSocket("127.0.0.1")
setKey('xxxx')
webserver("x.x.x.x:8083")
setWebserverConfig({password="xxxx"})

-- 
Mart