[Pdns-users] Rate Limiting Against DDOS

Alejandro Adroher Mellado alejandro.adroher at omniaccess.com
Thu Jan 14 08:45:29 UTC 2016

Morning Everyone!!

I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
I’m using a modified script who works perfectly, but I’m limited for one of the settings.

Here is the script.

:INPUT ACCEPT [548:41223]
:OUTPUT ACCEPT [4439:1270057]
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m recent --set --name dnsanyquery --mask --rsource -j LOG --log-prefix "IPTables-Dropped: "
-A INPUT -p udp -m udp --dport 53 -m recent --rcheck --seconds 1 --hitcount 20 --name dnsanyquery --mask --rsource -j LOG

The next combination (--seconds 1 --hitcount 20) allow a max of 20 qps.
The fact is that the hitcount does not allow to use a number upper than 20. An I’m looking for some rules which allow me to rate limit over 200 or 300 qps.
And a cannot find it!!

As you can see, I’m only logging to a file these queries up to 20 per second, after that I’m using fail2band to block these logged queries. Someone knows a better way to block queries upper to 300 per second.

I’m losing a lot of time. Rate limiting to prevent DDos is killing my brain.   :-)

How do you rate limit your DNS servers?

Thanks in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160114/a0703aec/attachment.html>

More information about the Pdns-users mailing list