[dnsdist] advice needed

Michel Otte michel at cybox.nl
Thu Feb 27 11:02:35 UTC 2025 

Hi Steffan,

Generally speaking I would recommend the public facing IPs of your
authoritative nameservers to be dnsdist only and to keep your pdns auth
backend servers "hidden" behind other IPs. How you distribute the load
depends a lot on your environment and architecture, so it is a bit
difficult to give advice there. You could then only allow incoming requests
to your pdns auth servers from the dnsdist servers only, so they cannot be
targeted directly, if you really don't want them to be publically
accessible.

But before changing your setup, I would also invest a little more time in
understanding what kind of attack brought down your pdns auth servers and
figure out if there is something else you can do to mitigate these attacks.
The traditional SQL backends are notably sensitive to PRSD attacks, adding
more auth backend servers to a dnsdist only works to some extent. You might
want to consider the possibility of switching to the LMDB backend if you're
dealing with that kind of attacks.

With kind regards,
Michel Otte


Hello All,
>
>
>
> I had the following setup:
> server ns1:
>
> Dnsdist -> 127.0.0.1 pdns
> sql backend replicated database
> Server ns2:
>
> DNSdist -> 127.0.0.1 pdns sql backend replicated database
>
>
>
> Last week I was attacked 3 times.
>
> Flooding my system
> yesterday 53 miljioen hits in 10 minutes
>
>
>
> Im now on nawas DDOs temperarly
> That was the online way to stop it.
>
>
> I now splitted my DNS server (multiple resellers)
> and the above setup is now 3 times so separate the load.
>
>
>
> The question…
> What is the best way now
> keep this setup
> - 6x dnsdist
> - 6 different ns servers
>
>
>
> Or should I use one dnsdist that connects tyo the 6 dns servers for load
> balancing
>
> My idee was to keep this setup and then let all 6 dnsdist connect to the 6
> servers so if there are problems I can remove a dns from one of the 6
>
> But how to do that without exposing pdns to the public
>
>
>
> Sorry im dutch 😊
> Hope I made myself clear
>
>
>
> With regards
>
>
> Steffan
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250227/6e239559/attachment.htm>

More information about the dnsdist mailing list