[dnsdist] advice needed

mailinglist at tikklik.nl mailinglist at tikklik.nl
Thu Feb 27 11:08:33 UTC 2025


Hello Frank,

Well.  

I have (i think)  a small network this was my first attack in 24 years
Yesterday I found that one domain was hit a lot so I blocked that one and after that spoofed it.

But that was when nawas already was running.

 

LMDB was something that I didn’t hear of.
All entrys comes from a central mariadb that is connected with my client portal so I have to look in to that how that works.

 

 

I started after the first attack to use pools so I can find out what ip was attacked.

 

Here is my config below only vip1  but I have multiple ips setup 
this gives me on the webinterface the output to see what ip is hit.
But I think that with this setup I have to add for the other pdns servers all new lines like

newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })

newServer({address="ip2:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })

newServer({address="ip3:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })

 

 

====================

dns_vip1 = newNMG()

dns_vip1:addMask('46.182.xxx.xxx/32')

dns_vip1b = newNMG()

dns_vip1b:addMask('2a00:1bd0:xxxx')

 

newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })

newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ip6-xxx" })

 

cache1 = newPacketCache(50000, { keepStaleData=true, maxTTL=86400,

minTTL=0, numberOfShards=4, maxNegativeTTL=600, staleTTL=180 })

 

getPool("ipv4-xxxx"):setCache(cache1)

getPool("ip6-xxx"):setCache(cache1)

 

addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR), OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update)}), RCodeAction(DNSRCode.REFUSED))

local dbr = dynBlockRulesGroup()

 

--- Create a dynamic block rule for overall queries/second allowed

dbr:setQueryRate(

   ---- The number of queries/second to rate limit at

   150,

   ---- Set the measurement period over the last 10 seconds

   10,

   ---- Log the action to syslog

   "Exceeded query rate limit",

   ---- Add the block for 120 seconds

   120

)

 

--- Create a dynamic block rule to block queries that have resulted in a NXDOMAIN response

dbr:setRCodeRate(

   ---- Match the NXDOMAIN response

   DNSRCode.NXDOMAIN,

   ---- The number of queries/second to rate limit at

   75,

   ---- Set the measurement period over the last 10 seconds

   10,

   ---- Log the action to syslog

   "Exceeded NXD response rate",

   ---- Add the block for 120 seconds

   120

)

 

--- Create a dynamic block rule to block inbound queries/second from hosts of the ANY type

dbr:setQTypeRate(

   ---- Match the ANY query type

   DNSQType.ANY,

   ---- The number of queries/second to rate limit at

   50,

   ---- Set the measurement period over the last 10 seconds

  ---- Set the measurement period over the last 10 seconds

   10,

   ---- Log the action to syslog

   "Exceeded ANY rate",

   ---- Add the block for 120 seconds

   120

)

 

-- https://dnsdist.org/rules-actions.html

-- slow down if more then 50 from one ip

addAction(MaxQPSIPRule(20, 32, 48), DelayAction(100))

 

 

-- https://powerdns.org/dnsdist-md/dnsdist-diagrams.md.html

pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})

getPool(""):setCache(pc)

setStaleCacheEntriesTTL(3600)

 

-- Limit /24's on IPv4 and /64's on IPv6 to 5 QPS

addAction(MaxQPSIPRule(4, 32, 48), DropAction())

 

 

 

function maintenance()

        -- Get the addresses that had more than 20 NXDOMAINs in the last 10 seconds

        addresses = exceedNXDOMAINS(10, 20)

        -- Block the addresses for a minute

        addDynBlocks(addresses, "Exceeded NXDomain", 60)

end

 

 

addAction(NetmaskGroupRule(dns_vip1, false), PoolAction('ipv4-xxx'))

addAction(NetmaskGroupRule(dns_vip1b, false), PoolAction('ip6-xxx'))

 

 

 

for 

Van: Frank @ Kiwazo <frank at kiwazo.com> 
Verzonden: donderdag 27 februari 2025 11:35
Aan: mailinglist at tikklik.nl
CC: dnsdist mailing list <dnsdist at mailman.powerdns.com>
Onderwerp: Re: [dnsdist] advice needed

 

Hi Steffan,

 

[NL]Geen probleem, we verstaan je :) Voor veel mensen hier is Engels niet de eerste taal[/NL]

 

Do you have more information on the attack? Was it against one particular domain? Random subdomain attack?

 

There are a few things you could do, but it all depends on the type of the attack.

 

- On dnsdist, add Dynamic block rules https://www.dnsdist.org/guides/dynblocks.html. This allows you to block clients that e.g. generate a lot queries which result in an NXDomain, or just to rate limiting (but be careful with rate limiting legitimate resolvers)

 

- If this was a distributed random subdomain attack, it's quite hard to block those. At the time of the attack, you could block the attacked domain in dnsdist, preventing the queries from going to your backend infrastructure. 

 

- In general, MySQL / PostgreSQL backends suffer a lot from the random subdomain attacks :( A faster backend like LMDB can handle 10x or even 100x more qps. So consider moving to one of those faster backends.

 

Best of luck fighting the bad folk!

 

Frank

 

 

 

Frank Louwers

Kiwazo

 

e: hello at kiwazo.be <mailto:hello at kiwazo.be> 

m: +32 475 66 57 57

 












On 27 Feb 2025, at 11:20, Steffan via dnsdist <dnsdist at mailman.powerdns.com <mailto:dnsdist at mailman.powerdns.com> > wrote:

 

Hello All,

 

I had the following setup:
server ns1:

Dnsdist -> 127.0.0.1 pdns
sql backend replicated database
Server ns2:

DNSdist -> 127.0.0.1 pdns sql backend replicated database

 

Last week I was attacked 3 times.

Flooding my system 
yesterday 53 miljioen hits in 10 minutes

 

Im now on nawas DDOs temperarly
That was the online way to stop it.


I now splitted my DNS server (multiple resellers)
and the above setup is now 3 times so separate the load.

 

The question…
What is the best way now
keep this setup 
- 6x dnsdist
- 6 different ns servers

 

Or should I use one dnsdist that connects tyo the 6 dns servers for load balancing

My idee was to keep this setup and then let all 6 dnsdist connect to the 6 servers so if there are problems I can remove a dns from one of the 6

But how to do that without exposing pdns to the public

 

Sorry im dutch 😊
Hope I made myself clear

 

With regards


Steffan

_______________________________________________
dnsdist mailing list
 <mailto:dnsdist at mailman.powerdns.com> dnsdist at mailman.powerdns.com
 <https://mailman.powerdns.com/mailman/listinfo/dnsdist> https://mailman.powerdns.com/mailman/listinfo/dnsdist

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250227/788a7653/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6080 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250227/788a7653/attachment-0001.png>


More information about the dnsdist mailing list