[Pdns-users] pdns-recursor flooded with bogus lookups, SERVFAILs ensue

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Mar 31 08:13:30 UTC 2014

Hello Russell,

On 29 Mar 2014, at 20:48 , russell nealis <codemunkee at gmail.com> wrote:

> I understand the proper approach is to tell the customers to stop allowing DNS recursion on the public internet, and I'm working on that. However, I have thousands of customer machines and it's likely that this will crop up again. So my questions are:
> (1) Do you suspect this is a DNS amplification attack where my customers machines are getting abused? Or some other kind of attack (e.g. DNS cache poisoning?)


> (2) I've considered using iptables to slow down the query rate allowed by the customers but in the documentation it says I should be wary of using iptables since the volume of traffic could quickly overwhelm it? I noticed there is a throttle mechanism mentioned in the documentation but I can't determine whether that's something I can configure or if it's just built in logic. 

We don’t have experience with using iptables rate limiting to mitigate this and cannot recommend for or against it.

> (3) In general, what would you recommend to be proactive with something like this? I'm thinking about writing some code to run dnstop and look for customers that seem to be misconfigured and then put in ACLs on my network appliances to block their traffic to my recursors until they remedy their machines, however this seems heavy handed.

One, please read http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ and see if any of the suggestions in it are relevant for you.
Two, upgrade your Recursor to a recent GIT master, or to our latest 3.5.4-pre snapshot at https://autotest.powerdns.com/job/recursor-git/1109/; then, glean some configuration wisdom from https://github.com/PowerDNS/pdns/pull/1300

Hope this helps; please let us know how it works out for you.

Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140331/f370d8dd/attachment-0001.sig>

More information about the Pdns-users mailing list