[Pdns-users] PDNS Authoritative Server DDOS Protection

bert hubert bert.hubert at powerdns.com
Sat Jul 7 12:09:15 UTC 2018


On Sat, Jul 07, 2018 at 03:49:16PM +0430, Hamed Haghshenas wrote:
> I'm using PDNS Authoritative Server 4.1.3, today I see my server not
> response and error or timeout on resolves .

Hi Hamed,

What you can best do is install dnsdist and put it in front of your
authoritative servers.

Try this dnsdist.conf, assuming your auth server will listen on 127.0.0.1
and your current auth server IP is 1.2.3.4:

newServer("127.0.0.1")
setLocal("1.2.3.4")
addAction(MaxQPSIPRule(10), DropAction())

This restricts each individual IP address to 10 queries per second. I also
recommend you setup the internal webserver which will give you a good feel
for what is going on, https://dnsdist.org/guides/webserver.html

If you don't want to drop, you can also shift traffic to TCP which stops
most attacks:

addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())

If this is not enough, you could use the EBPF kernel based limits as
described in https://dnsdist.org/advanced/ebpf.html

This allows you to filter like 20gbit/s of unwanted traffic if need be, but
it does require a recent kernel.

Good luck!

> 
> When check the server see to many DNS requests from some IPs from Brazil
> like DDOS attack. To fix errors and timeouts, I block the attacker subnet in
> my firewall .
> 
>  
> 
> Now could you please let me know how protect my server from DOS and DDOS
> attacks ?
> 
>  
> 
> Best Regards,
> 
>  
> 
> Hamed Haghshenas
> 
>  
> 
>  
> 

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



More information about the Pdns-users mailing list