[Pdns-users] Rate-Limit for NXDOMAIN

Klaus Darilion klaus.mailinglists at pernau.at
Mon Apr 29 21:14:14 UTC 2019

Hi Nico!

Am 26.04.2019 um 15:05 schrieb Nico CARTRON:
> Hi Markus,
> On 26-Apr-2019 14:55 CEST, <Markus.Ehrlicher at komsa.de> wrote:
>> Hello together,
>> since recently we use two powerDNS Authoritative Servers (v.4.1.8) for
>> managing our own domains. Is it possible, to rate-limit dns lookups for
>> non-existing Domains?
>> Background: from time to time (several times a day), we get hundreds (or
>> thousands) of requests to random, non-existing, subdomains for one domain, we
>> are authoritative for. The root domain is the same in all requests. I don't
>> understand the aim of this attacks, but want to limit it in some possible
>> ways.
> This looks like a mission for dnsdist (http://www.dnsdist.org)
> Especially this section: https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup

Can you give an example how those dynblockrules can be used to filter 
above "attack"? The main problem with rate-limiting NXDOMAIN is, that 
you need to ask the authoritative to get a response and check if it is 
NXDOMAIN. Then, dropping the response is actually no help as the 
authoritative still gets the query load.

Also if the source IP is random, you can not block a source-IP after too 
many NXDOMAINs. And if the queries come from a big resolver, you do not 
want to rate limit legitim queries from the resolver.

If the zone is not too big, we currently explicitely whitelist all 
labels of the zone, and then ratelimit all other queries to this zone. 
So, if dynblockrules really can help in such a scenario, please show us 
the respective config and please explain it.


More information about the Pdns-users mailing list