[Pdns-users] Workaround for PowerDNS Security Advisory 2014-02

[sthaug at nethelp.no]

> > - Is PowerDNS recursor meant to have a coherent cache? The observed
> > behavior on my 3.6.2/FreeBSD 9.3 installation is that I have as many
> > caches as I have threads (as configured with "threads=..." in
> > recursor.conf). This is clearly visible on the TTL of the replies,
> > e.g. (querying the recursor rapidly about the same A):
> 
> The cache is mostly coherent when pdns-distributes-queries is in use, but it
> is not guaranteed to be that way. It turns out that not coordinating caches
> actually improves performance. But with pdns-distributes-queries, the same
> question always ends up at the same thread. This also increases performance
> measurably (30%).

Sounds like we should try pdns-distributes-queries.

> > - Is 'rec_control reload-zones' meant to reload zones defined with
> > forward-zones-file= in recursor.conf? The observed behavior is that
> > the change in forwarding only happens after TTL expires (and thus can
> > happen at different times for different threads, see also the point
> > above), e.g.:
> 
> We attempt to wipe the cache of specific records for authoritative zones. We
> do not make an attempt to do a linear search of the cache for anything that
> was previously forwarded (since our cache is not ordered that way, it would
> be very expensive).
> 
> Is this an important usecase for you? If so, please let us know.

Unfortunately yes, this is important. We need to get forwarded zone
changes to take effect pretty much right away (as in: within a minute
is fine, having to wait for a 1 hour TTL to expire is not fine). The
reason is that the forwarded zone changes are done to handle the
$RANDOM.example.com DDoS case you describe in your recent "Diverting
recursor-to-auth attacks" blog post.

As it is we simply restart the recursor. This obviously means throwing
away the cache, which we would prefer to avoid.

Steinar Haug, AS 2116