[Pdns-users] pdns-recursor flooded with bogus lookups, SERVFAILs ensue

russell nealis codemunkee at gmail.com
Mon Mar 31 19:49:43 UTC 2014

On Mon, Mar 31, 2014 at 1:13 AM, Peter van Dijk <
peter.van.dijk at netherlabs.nl> wrote:

> Hello Russell,
> On 29 Mar 2014, at 20:48 , russell nealis <codemunkee at gmail.com> wrote:
> > I understand the proper approach is to tell the customers to stop
> allowing DNS recursion on the public internet, and I'm working on that.
> However, I have thousands of customer machines and it's likely that this
> will crop up again. So my questions are:
> >
> > (1) Do you suspect this is a DNS amplification attack where my customers
> machines are getting abused? Or some other kind of attack (e.g. DNS cache
> poisoning?)
> https://blog.secure64.com/?p=377
> > (2) I've considered using iptables to slow down the query rate allowed
> by the customers but in the documentation it says I should be wary of using
> iptables since the volume of traffic could quickly overwhelm it? I noticed
> there is a throttle mechanism mentioned in the documentation but I can't
> determine whether that's something I can configure or if it's just built in
> logic.
> We don't have experience with using iptables rate limiting to mitigate
> this and cannot recommend for or against it.
> > (3) In general, what would you recommend to be proactive with something
> like this? I'm thinking about writing some code to run dnstop and look for
> customers that seem to be misconfigured and then put in ACLs on my network
> appliances to block their traffic to my recursors until they remedy their
> machines, however this seems heavy handed.
> One, please read
> http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/and see if any of the suggestions in it are relevant for you.
> Two, upgrade your Recursor to a recent GIT master, or to our latest
> 3.5.4-pre snapshot at https://autotest.powerdns.com/job/recursor-git/1109/;
> then, glean some configuration wisdom from
> https://github.com/PowerDNS/pdns/pull/1300
> Hope this helps; please let us know how it works out for you.
> Kind regards,
> --
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
Thank you for your help, Peter. I'll give it a go.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140331/27bcfc4b/attachment-0001.html>

More information about the Pdns-users mailing list