[Pdns-users] Rate-Limit for NXDOMAIN

powerdns at bart.bim.be powerdns at bart.bim.be
Tue Apr 30 14:31:55 UTC 2019

> In the normal case, suppressing responses may be a good thing to do, 
> if the actual problem is that the DNS responses are part of a DoS 
> attack (i.e. the DNS queries came in with spoofed source addresses).  
> The responses cause your IP reputation to suffer - and burn outbound 
> bandwidth.

If the attack is being carried out via a valid recursor DNS, then not 
responding at all, will cause the recursor to try all your nameservers 
before giving up. This multiplies the incoming traffic you would 
normally receive on one server, times the number of visible nameservers 
you have. Unless you're sure traffic doesn't come in via a recursor, 
then it's probably better to respond.

Are you using PowerDNS with a MySQL backend? In that case, the fact that 
every single request needs to be checked in the database is your 
bottleneck. If you can prevent this from happening, then you'll notice 
that your server is capable of responding to a much larger amount of 
requests without much of a hassle.

Changing the backend could be an option.

Or, as was earlier pointed out, by setting up dnsdist with rules that 
would whitelist all existing records and make it respond with NXDOMAIN 
to all non-existing records.

If the "random" request do show some sort of pattern which could enable 
you to create a regular expression to find them, then this would be a 
simple solution. Let's say that the random requests most often contain a 
number while your real subdomains never have a number:

addAction(RegexRule("[a-z]*[0-9]+[a-z]*\\.example.org$"), RCodeAction(3))

With more complicated regular expressions, you can achieve more. And if 
this only blocks 90% of them without having to look them up in the DB, 
then at least you're already doing that.

Bart Mortelmans

More information about the Pdns-users mailing list