[Pdns-users] Mitigating / stopping recent Denial of Service Attacks

okTurtles hi at okturtles.com
Wed Jun 4 15:20:58 UTC 2014

On Jun 4, 2014, at 1:09 AM, Peter van Dijk <peter.van.dijk at netherlabs.nl> wrote:

>> I decided to pair up DNSChain with PowerDNS recursor thinking that maybe since it has been in development for a long time now that it more effectively deal with this problem, however, it seems that it's only marginally doing so.
> We understand from other communications that you are forwarding all queries to Google DNS. The mitigation in PowerDNS Recursor is based on noticing queries to remote servers are failing. If it was working in this case, it would cut off your whole DNS!

FYI, the system's DNS is also set to Google's servers.

I tried commenting out `forward-zones-recurse`, but that made things worse. Loading pastebin.com and ycombinator.com failed with SERVFAIL.

I did manage to get the trace-regex for them though: http://pastebin.com/bvsRQc81

>> 	• 2% cache hits
> Bad, but not weird with all these random queries.

Umm... OK? Does PowerDNS 3.6RC1 handle mitigate these kinds of queries appropriately? I installed it recently as mentioned here: https://github.com/PowerDNS/pdns/issues/1453

I started seeing 30% throttled, and 7% cache hits (still bad?).

> Question: who is sending you these queries? Are you running an open recursor?

Yes, I am, and I was wondering if PowerDNS can do this responsibly (like blocking the random queries that I mentioned earlier. I also mentioned how that can be done and asked if PDNS 3.6 does it, or if it can be done via Lua).

- Greg

Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140604/f16208b2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140604/f16208b2/attachment-0001.sig>

More information about the Pdns-users mailing list