From cm at appliedprivacy.net  Mon Sep  1 22:39:42 2025
From: cm at appliedprivacy.net (Christoph)
Date: Tue, 2 Sep 2025 00:39:42 +0200
Subject: [dnsdist] Many "NS ." requests
In-Reply-To: <aK2qAF4MjAO3UXwS@nic.fr>
References: <aK2qAF4MjAO3UXwS@nic.fr>
Message-ID: <b6052a5f-d662-4190-9458-a9edb484cdad@appliedprivacy.net>

Hi Stephane,

thanks for sharing this
we run public encrypted DNS resolver services
and are seeing the same.

Some properties of these queries as we see them:
* all of them are for . NS
* all of them share the same non-zero DNS transaction ID
* all of these requests reach us via DoH, not via DoT or other transports
* all of them originate from a single ASN
* over ~95% reach us via IPv6
* dnsdist memory usage increased by 110% - also with the rule shown below

We are trying to deal with this for now with this rule:

addAction(AndRule({QTypeRule(DNSQType.NS),QNameRule("."),NetmaskGroupRule(<source 
prefix>)}),DropAction(),{name="drop_root_qname_NS_from_ASN..."})

but apparently it doesn't actually help to reduce the load on our
dnsdist frontends as measured via dnsdist_cpu_sys_msec
maybe the rule processing even adds more load on dnsdist so depending on 
what you want to protect (dnsdist vs. recursor) this isn't actually a 
recommendation.

Feel free to reach out off-list if you want to share more.

best regards,
Christoph