[Pdns-users] Rate Limiting Against DDOS

bert hubert bert.hubert at powerdns.com
Thu Jan 14 09:00:40 UTC 2016


On Thu, Jan 14, 2016 at 08:45:29AM +0000, Alejandro Adroher Mellado wrote:
> Morning Everyone!!

GOOD MORNING!

> I’m trying to rate limit the number of queries per second allowed on my DNS recursor, using iptables.
> I’m using a modified script who works perfectly, but I’m limited for one of the settings.

Unless you are seeing hundreds of thousands of queries per second, dnsdist
might be a better choice for you, http://dnsdist.org/

It has a bunch of simple settings that probably do just what you want.

See for example:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting

But dnsdist offers way more than that to help you. You might for example
delay some answers, or strip the RD bit so your servers don't need to do any
work for certain subnets etc.

> How do you rate limit your DNS servers?

With dnsdist. Feel free to join us on the dnsdist mailinglist
(http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we
can make a nice config for you.

	Bert




More information about the Pdns-users mailing list