[Pdns-users] throttled-outqueries

David opendak at shaw.ca
Tue Oct 11 15:10:46 UTC 2016

On 2016-10-11 9:05 AM, Alejandro Adroher Mellado wrote:
> Hi all,
> I'm interested in how can I investigate in deep the throttled out queries.
> We have an open recursor due to business needs and during the last weeks we are answering a lot of SERVFAIL for random queries like web-127.com ..... (all of the forwarded to our abuse pool server)

Your resolver is likely under subdomain reflection attacks. If you look 
at "rec_control current-queries" you will probably see lookups similar to

etc. Pretty much anything that shows up on: 
https://twitter.com/dnsstream will be likely to hit your server as well.

You can either block abusive clients making these queries, or you can 
filter them from answering on your recursor. If all you have is powerdns 
and nothing like dnsdist in front you can setup forward zones for these 
pointing to yourself so that your recursor will respond with a servfail 
right away instead of doing the work trying to resolve the name. This 
will be a never ending cat and mouse game, though.

> From last service reboot I have this stats: (Recursor v 3.7.3)
> throttle-entries        390
> throttled-out   344055
> throttled-outqueries    344055
> We received 2.291.374 of SERVFAILS on last 10 days.
> The server performance it's fine!
> But, we are receiving on syslog a lot of entries like : kernel: [21099878.651281] net_ratelimit: 153 callbacks suppressed
> We cannot be sure that both (SERVFAIL & kernel net_ratelimit) are related.
> Have anyone previous experience on this case?
> Thanks a lot.
> Alejandro
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list