[Pdns-users] Rate-Limit for NXDOMAIN
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Apr 29 21:14:14 UTC 2019
Hi Nico!
Am 26.04.2019 um 15:05 schrieb Nico CARTRON:
> Hi Markus,
>
> On 26-Apr-2019 14:55 CEST, <Markus.Ehrlicher at komsa.de> wrote:
>
>> Hello together,
>>
>> since recently we use two powerDNS Authoritative Servers (v.4.1.8) for
>> managing our own domains. Is it possible, to rate-limit dns lookups for
>> non-existing Domains?
>> Background: from time to time (several times a day), we get hundreds (or
>> thousands) of requests to random, non-existing, subdomains for one domain, we
>> are authoritative for. The root domain is the same in all requests. I don't
>> understand the aim of this attacks, but want to limit it in some possible
>> ways.
>
> This looks like a mission for dnsdist (http://www.dnsdist.org)
> Especially this section: https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup
Can you give an example how those dynblockrules can be used to filter
above "attack"? The main problem with rate-limiting NXDOMAIN is, that
you need to ask the authoritative to get a response and check if it is
NXDOMAIN. Then, dropping the response is actually no help as the
authoritative still gets the query load.
Also if the source IP is random, you can not block a source-IP after too
many NXDOMAINs. And if the queries come from a big resolver, you do not
want to rate limit legitim queries from the resolver.
If the zone is not too big, we currently explicitely whitelist all
labels of the zone, and then ratelimit all other queries to this zone.
So, if dynblockrules really can help in such a scenario, please show us
the respective config and please explain it.
Thanks
Klaus
More information about the Pdns-users
mailing list