[Pdns-users] DoS with AXFR transfer

Adrian Kägi aka at nts.ch
Sun Dec 22 08:25:52 UTC 2019

Hi List
I am new to this list, ans would like to say hello pdns users!

Version: 4.1
Backend: MySQL
OS: Ubuntu 16.04
pdns Server acts as Slave Server

In my lab, i made a axfr zone transfer with several records. I was wondering if there is only one [1] solution to prevent/throttle a master Server sent all couple of minutes a zone transfer with a huge "fake" zone to triger a DoS situation.
The syslogs says there was more than 5000 messages in the queue to write down to MySQL [2]. so my guess is, the MySQL Server is too slow.
Is there a solution to slow down a zone transfer?
Maybe my toughts are in a wrong directon, but from my point of view, in a real life scenario, a DoS is possible with a huge zone transfer all couple of minutes.

What do you recommend? tune MySQL Server? add DoS prevention tool in front like fail2ban?

Thank you very much for your input!

[1] https://doc.powerdns.com/authoritative/settings.html#xfr-max-received-mbytes
[2] https://doc.powerdns.com/authoritative/settings.html#max-queue-length
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191222/1a9f7bf8/attachment.htm>

More information about the Pdns-users mailing list