[Pdns-users] Botnet news + small Recursor 3.6.0 update

bert hubert bert.hubert at netherlabs.nl
Thu Jun 26 12:01:23 UTC 2014


Hi everbody,

First let's start with the good news - we've been receiving some great
feedback from PowerDNS Recursor 3.6.0 deployments using the
'pdns-distributes-queries' setting.  According to 'namebench', we now exceed
even on-site Google 8.8.8.8 in perceived performance by a significant
margin, while lowering CPU usage dramatically. [1].

Secondly, the botnet mitigation code in Recursor 3.6.0 is holding up well,
but we still see A Lot of malicious DNS traffic.  To determine exactly which
users are attacking your recursor with such traffic, we've enhanced
'dnsscope' (one of our DNS analysis tools) with the --servfail-tree option. 
This option generates a per-domain suffix list of IP addresses sending
servfail-generating traffic.

A provisional document for how to benefit from --servfail-tree and use it to
configure bulk IP blocking based on ipset can be found on:

          https://gist.github.com/ahupowerdns/53c9ec191f9b32803392

This also includes links on where to download binary packages of dnsscope.
Note by the way that the instructions are not PowerDNS specific, and will
also help you protect other nameservers.

Good luck & if you have any questions, please do not hesitate to contact us!

	Bert

[1] "commit 06ea901: make pdns-distributes-queries use a hash so related
queries get sent to the same thread. Original idea by Winfried Angele.
Astoundingly effective, approximately halves CPU usage!"




More information about the Pdns-users mailing list