[Pdns-users] Fwd: DNS RRL for PowerDNS

Klaus Darilion klaus.mailinglists at pernau.at
Thu Sep 13 14:44:39 UTC 2012

Hi Jörg!

On 13.09.2012 14:17, joerg jungermann wrote:
> Hi Klaus!
>> Are there any plans to implement DNS RRL
>> (http://www.redbarn.org/dns/ratelimits) or similar for PowerDNS? These
>> DNS amplification attacks are really annoying.
> Yes, this might be a nice feature.
> As DNS traffic regularily constists of a lot of small UDP packets, that
> have to be transport from kernel space to the application.
> This is very expensive if you consider a friend $IP, will hit the limit and
> you think about dropping those queries and you have a lot of DNS traffic.
> But if you are using a Un*x system like *BSD or Linux you are able to
> archieve this via $PACKETFILTER of the kernel.
> On linux you can use the iptables hashlimit match in srcip mode for this.
> example:
> -p udp --dport 53 -m hashlimit --hashlimit-above 200/sec \
>   --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name DNS-ABUSER \
>   --hashlimit-htable-size 8192 --hashlimit-htable-max 32768 -j drop_log_dns_abuse

Thanks for the iptables rule. I think I will try to combine it with a 
check for ANY queries to only block the current ongoing ANY attacks and 
to avoid false positive. And it could help reducing the number of IP 
addresses which have to tracked by the hashlimit module.

btw: In current ANY queries the UDP source port correlates with the DNS 
transaction id. I have not found any means to compare those values in an 
iptables rule - are you aware of such a rule?


More information about the Pdns-users mailing list