opendak at shaw.ca
Tue Oct 11 15:10:46 UTC 2016
On 2016-10-11 9:05 AM, Alejandro Adroher Mellado wrote:
> Hi all,
> I'm interested in how can I investigate in deep the throttled out queries.
> We have an open recursor due to business needs and during the last weeks we are answering a lot of SERVFAIL for random queries like web-127.com ..... (all of the forwarded to our abuse pool server)
Your resolver is likely under subdomain reflection attacks. If you look
at "rec_control current-queries" you will probably see lookups similar to
etc. Pretty much anything that shows up on:
https://twitter.com/dnsstream will be likely to hit your server as well.
You can either block abusive clients making these queries, or you can
filter them from answering on your recursor. If all you have is powerdns
and nothing like dnsdist in front you can setup forward zones for these
pointing to yourself so that your recursor will respond with a servfail
right away instead of doing the work trying to resolve the name. This
will be a never ending cat and mouse game, though.
> From last service reboot I have this stats: (Recursor v 3.7.3)
> throttle-entries 390
> throttled-out 344055
> throttled-outqueries 344055
> We received 2.291.374 of SERVFAILS on last 10 days.
> The server performance it's fine!
> But, we are receiving on syslog a lot of entries like : kernel: [21099878.651281] net_ratelimit: 153 callbacks suppressed
> We cannot be sure that both (SERVFAIL & kernel net_ratelimit) are related.
> Have anyone previous experience on this case?
> Thanks a lot.
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users