[Pdns-announce] Related to recent DoS attacks: Recursor configuration file guidance

bert hubert bert.hubert at netherlabs.nl
Thu Feb 6 12:10:19 UTC 2014

Hi everybody,

Over the past week we've been contacted by a few users reporting their
PowerDNS Recursor became unresponsive under a moderate denial of service
attack, one which PowerDNS should be expected to weather without issues.

In the course of investigating this issue, we've found that many PowerDNS
installations on Linux are configured to consume (far) more filedescriptors
than are actually available, waisting resources.

To check if this is the case for you, multiply the 'max-mthreads' setting by
the 'threads' setting. Default values are 2048 and 2, leading to a
theoretical FD consumption of 4096. Many Linux distributions default to
1024. So, our defaults exceed the Linux defaults by a large margin!

(FreeBSD defaults are far higher, and should not pose an issue).

To fix, there are four options:

1) Reduce max-mthreads to 512 (or threads to 1)
2) Run 'ulimit -n 4096' before starting (perhaps put this in /etc/init.d/ script)
3) Investigate defaults in /etc/limits.conf
4) Apply the patch in https://github.com/PowerDNS/pdns/commit/3a8a4d68735a0465dff9623c49fb6bf45e0850d8

The patch automates 1 and 2, either raising the limit if possible, or
reducing max-mthreads until "it fits".

Thank you for your attention, and if you have results to report to us on
previous or current DoS attacks, please contact me privately!


PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372

More information about the Pdns-announce mailing list