[Pdns-users] Rate-Limit for NXDOMAIN

Filipe Cifali cifali.filipe at gmail.com
Tue Apr 30 14:28:26 UTC 2019


The OP mentions it's only one "domain" being queried with random
subdomains, being easier to match the possible queries like described here:

https://stackoverflow.com/questions/14096966/can-iptables-allow-dns-queries-only-for-a-certain-domain-name

I think this is effective to prevent this attack right now if it's
affecting the OP, it should not be used for long, just until the attack
comes to a halt. It's important to use a LOG flag before, to know when the
attack stops because the CPU hit can be heavy if the kernel table gets too
inflated.

On Tue, Apr 30, 2019 at 11:22 AM Brian Candler <b.candler at pobox.com> wrote:

> On 30/04/2019 14:57, Filipe Cifali wrote:
> > Other than that you can put a DNS cache in front of the authoritative
> > to hold off those aggressive queries and give it a nice slab of RAM.
>
> pdns has its own packetcache layer which works very well, but if every
> query is a different <randomstring>.<yourdomain> then any cache would be
> forced to pass the query through.
>
> There might be some ways to deal with this.  e.g. if <randomstring> is
> always more than a certain number of characters, dnsdist could filter
> them out (whilst explicitly whitelisting any other valid names which
> happen to be the same length)
>
> The trouble is, you do still want to return NXDOMAIN normally to regular
> typos.
>
>

-- 
[ ]'s

Filipe Cifali Stangler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190430/0f54b315/attachment.html>


More information about the Pdns-users mailing list