[Pdns-users] PDNS Authoritative Server DDOS Protection

Hamed Haghshenas haghshenas at chavoosh.com
Sat Jul 21 06:08:07 UTC 2018

Hi Bert,

Thanks for your solution, I use it same as below:

local dbr = dynBlockRulesGroup()
dbr:setQueryRate(3, 10, "Exceeded query rate", 60)
dbr:setRCodeRate(dnsdist.NXDOMAIN, 3, 10, "Exceeded NXD rate", 60)
dbr:setRCodeRate(dnsdist.SERVFAIL, 3, 10, "Exceeded ServFail rate", 60)
dbr:setQTypeRate(dnsdist.ANY, 3, 10, "Exceeded ANY rate", 60)
dbr:setResponseByteRate(5000, 10, "Exceeded resp BW rate", 60)

function maintenance()

For attacks build by Mausezahn with small Src Address subnet, worked fine and blocked every /32 subnet that reach the query rate . but when use big SRC subnet like /20 it can't manage the queries and CPU rate increase .

could you please let me know is there any way to force Dyn blocked function check /24 subnet instead of /32 and, for every /24 SRC subnet, if query rate exceed then block /24 subnet .
for example for, if query rate exist 10 for 10s then block

Hamed Haghshenas

-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of bert hubert
Sent: Tuesday, July 17, 2018 3:49 PM
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PDNS Authoritative Server DDOS Protection

On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote:
> Could you please let me know how handle these large DDOS attacks?

Hi Hamed,

Please take a look at https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup

This is specifically meant for the case of many different IP addresses attacking you.

Good luck!

Pdns-users mailing list
Pdns-users at mailman.powerdns.com

More information about the Pdns-users mailing list