[Pdns-users] Rate-Limit for NXDOMAIN
Brian Candler
b.candler at pobox.com
Tue Apr 30 13:37:44 UTC 2019
On 29/04/2019 22:14, Klaus Darilion wrote:
> Can you give an example how those dynblockrules can be used to filter
> above "attack"? The main problem with rate-limiting NXDOMAIN is, that
> you need to ask the authoritative to get a response and check if it is
> NXDOMAIN. Then, dropping the response is actually no help as the
> authoritative still gets the query load.
In the normal case, suppressing responses may be a good thing to do, if
the actual problem is that the DNS responses are part of a DoS attack
(i.e. the DNS queries came in with spoofed source addresses). The
responses cause your IP reputation to suffer - and burn outbound bandwidth.
>
> Also if the source IP is random, you can not block a source-IP after
> too many NXDOMAINs.
That is true, but:
1. In that case, how would you propose dealing with random source IPs?
That is: how could you tell the difference between a valid query which
demands an NXDOMAIN response, mixed in with the "attacking" queries?
2. Why would someone send you lots of queries with *random* source IPs?
Have you analyzed them, are you sure they're random? An attacker would
normally put a victim's IP in the source, or a small set of victim
source IPs. Sending truly random source IPs wouldn't achieve very much,
apart from wasting your resources (and theirs).
Regards,
Brian.
More information about the Pdns-users
mailing list