[Pdns-users] Fwd: DNS RRL for PowerDNS

joerg jungermann jj+powerdns at borkum.net
Thu Sep 13 12:17:10 UTC 2012


Hi Klaus!

> Are there any plans to implement DNS RRL
> (http://www.redbarn.org/dns/ratelimits) or similar for PowerDNS? These
> DNS amplification attacks are really annoying.
Yes, this might be a nice feature.

As DNS traffic regularily constists of a lot of small UDP packets, that
have to be transport from kernel space to the application.

This is very expensive if you consider a friend $IP, will hit the limit and
you think about dropping those queries and you have a lot of DNS traffic.

But if you are using a Un*x system like *BSD or Linux you are able to
archieve this via $PACKETFILTER of the kernel.

On linux you can use the iptables hashlimit match in srcip mode for this.

example:
-p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
 --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
 --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse

(If you are dealing with a lot of ANY queries against an authoritative DNS
above works well for me (TM).)

> regards
> Klaus
regards
-- 
Joerg Jungermann



More information about the Pdns-users mailing list