[Pdns-users] Related to recent DoS attacks: Recursor configuration file guidance

abang abang at t-ipnet.net
Thu Feb 6 13:03:49 UTC 2014


Hello Bert,

Would you also provide the patch for the current version 3.5.3?

Winfried

Am 06.02.2014 13:10, schrieb bert hubert:
> Hi everybody,
>
> Over the past week we've been contacted by a few users reporting their
> PowerDNS Recursor became unresponsive under a moderate denial of service
> attack, one which PowerDNS should be expected to weather without issues.
>
> In the course of investigating this issue, we've found that many PowerDNS
> installations on Linux are configured to consume (far) more filedescriptors
> than are actually available, waisting resources.
>
> To check if this is the case for you, multiply the 'max-mthreads' setting by
> the 'threads' setting. Default values are 2048 and 2, leading to a
> theoretical FD consumption of 4096. Many Linux distributions default to
> 1024. So, our defaults exceed the Linux defaults by a large margin!
>
> (FreeBSD defaults are far higher, and should not pose an issue).
>
> To fix, there are four options:
>
> 1) Reduce max-mthreads to 512 (or threads to 1)
> 2) Run 'ulimit -n 4096' before starting (perhaps put this in /etc/init.d/ script)
> 3) Investigate defaults in /etc/limits.conf
> 4) Apply the patch in https://github.com/PowerDNS/pdns/commit/3a8a4d68735a0465dff9623c49fb6bf45e0850d8
>
> The patch automates 1 and 2, either raising the limit if possible, or
> reducing max-mthreads until "it fits".
>
> Thank you for your attention, and if you have results to report to us on
> previous or current DoS attacks, please contact me privately!
>
> 	Bert
>





More information about the Pdns-users mailing list