[Pdns-users] Fwd: DNS RRL for PowerDNS
jj+powerdns at borkum.net
Thu Sep 13 12:17:10 UTC 2012
> Are there any plans to implement DNS RRL
> (http://www.redbarn.org/dns/ratelimits) or similar for PowerDNS? These
> DNS amplification attacks are really annoying.
Yes, this might be a nice feature.
As DNS traffic regularily constists of a lot of small UDP packets, that
have to be transport from kernel space to the application.
This is very expensive if you consider a friend $IP, will hit the limit and
you think about dropping those queries and you have a lot of DNS traffic.
But if you are using a Un*x system like *BSD or Linux you are able to
archieve this via $PACKETFILTER of the kernel.
On linux you can use the iptables hashlimit match in srcip mode for this.
-p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
--hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse
(If you are dealing with a lot of ANY queries against an authoritative DNS
above works well for me (TM).)
More information about the Pdns-users