[Pdns-users] Flood Throttle

Andrew Melton rbc310 at gmail.com
Wed Sep 7 17:53:52 UTC 2011


When client requests originate from a person (i.e. web browser), I
would agree that there is little harm to network resources.
Eventually, that person will tire of hitting refresh and take their
browsing elsewhere.  Programatic requests are not so easily distracted
and can be persistent.

The concept of TTL has existed in routing forever.  A router may
respond to an ICMP request until the TTL has expired after which the
request is ignored.  This prevents routing loops from consuming
resources, however insignificant.

I realize that the DNS TTL is a timer versus ICMP which is a counter,
but I am looking for a solution similar to the IP TTL in which a
nameserver would attempt to honestly resolve a lookup to a point,
after which an alternative failure is returned.  Something which
instructs the client issuing the request that resolution is
impossible.  Just as the throttle works on forwarding, the same
dampening would be applied to responses.

Iptables and other network based solutions treat all DNS traffic the
same, namely, rate limiting queries of any kind based on IP.  I am not
assuming that just because one query is 'bad', that all subsequent
queries should also be discarded/limited.  The namserver cache is
storing information relative to the unique queries and can more
effectively limit the flow of bogus lookups without having to degrade
service to/from a particular host for legitimate traffic.

Thanks.





On Wed, Sep 7, 2011 at 9:11 AM, Jon Davis <maillist at konsoletek.com> wrote:
> Could you add something in iptables for rate limiting? Granted that wont
> handle NXDOMAIN/SRVFAIL specifically, but you could probably guess a high
> end average and cap it to that.
> -Jon
>
> On Tue, Sep 6, 2011 at 21:36, Andrew Melton <rbc310 at gmail.com> wrote:
>>
>> Following the advice from the IRC channel, I am looking for throttling
>> support in PDNS.  As I understand it, the rescursor currently has the
>> ability to suppress repetitive queries from being forwarded to an
>> authoritative name server.  However, there is no mechanism to discourage
>> those requests from the client in the first place.
>>
>> Essentially, instead of answering the a bogus query forever, at a certain
>> point, it would make sense to return an alternate response.  After 50
>> requests for an NXDOMAIN, the recursor could not only stop forwarding
>> queries, but reply with SRVFAIL or similar, updating its cache accordingly.
>>
>> Just as with setting a throttling threshold on forwarding, x requests
>> within y seconds would constitute a flood and instruct the recursor to
>> protect itself by altering its response to identical requests.
>>
>> And pushing this to a network appliance (firewall) won't work.  It needs
>> to be unattended and realtime.
>>
>> Thanks.
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



More information about the Pdns-users mailing list