[Pdns-users] Rate-Limit for NXDOMAIN

Filipe Cifali cifali.filipe at gmail.com
Tue Apr 30 13:57:29 UTC 2019


This is probably from 1 source only but spoofing the source address, one
pattern of attacking DNSs that was common some years ago (2013/2014 hits my
memory more on this) was to fake query origin making the DNS server thing
there was tons of different IPs querying the server and in reality was only
one IP trying to cause a Reflection Attack or DoS.

There's not many options to reduce query load in Auth DNS in this case that
works very well against subdomains, from what I recall iptables / netfilter
can use hexadecimal strings to filter out those queries before they do the
real query but this is expensive in terms of CPU (still needs to test it
against your scenario). Other than that you can put a DNS cache in front of
the authoritative to hold off those aggressive queries and give it a nice
slab of RAM.

Best regards,
Filipe

On Tue, Apr 30, 2019 at 10:36 AM Brian Candler <b.candler at pobox.com> wrote:

> On 29/04/2019 22:14, Klaus Darilion wrote:
> > Can you give an example how those dynblockrules can be used to filter
> > above "attack"? The main problem with rate-limiting NXDOMAIN is, that
> > you need to ask the authoritative to get a response and check if it is
> > NXDOMAIN. Then, dropping the response is actually no help as the
> > authoritative still gets the query load.
>
> In the normal case, suppressing responses may be a good thing to do, if
> the actual problem is that the DNS responses are part of a DoS attack
> (i.e. the DNS queries came in with spoofed source addresses).  The
> responses cause your IP reputation to suffer - and burn outbound bandwidth.
>
> >
> > Also if the source IP is random, you can not block a source-IP after
> > too many NXDOMAINs.
>
> That is true, but:
>
> 1. In that case, how would you propose dealing with random source IPs?
> That is: how could you tell the difference between a valid query which
> demands an NXDOMAIN response, mixed in with the "attacking" queries?
>
> 2. Why would someone send you lots of queries with *random* source IPs?
> Have you analyzed them, are you sure they're random? An attacker would
> normally put a victim's IP in the source, or a small set of victim
> source IPs.  Sending truly random source IPs wouldn't achieve very much,
> apart from wasting your resources (and theirs).
>
> Regards,
>
> Brian.
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>


-- 
[ ]'s

Filipe Cifali Stangler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190430/20809dac/attachment.html>


More information about the Pdns-users mailing list