[Pdns-users] Rate-Limit for NXDOMAIN

Klaus Darilion klaus.mailinglists at pernau.at
Sat May 4 21:31:24 UTC 2019 

Hi Brian!

Am 30.04.2019 um 15:37 schrieb Brian Candler:
> On 29/04/2019 22:14, Klaus Darilion wrote:
>> Can you give an example how those dynblockrules can be used to filter 
>> above "attack"? The main problem with rate-limiting NXDOMAIN is, that 
>> you need to ask the authoritative to get a response and check if it is 
>> NXDOMAIN. Then, dropping the response is actually no help as the 
>> authoritative still gets the query load.
> 
> In the normal case, suppressing responses may be a good thing to do, if 
> the actual problem is that the DNS responses are part of a DoS attack 
> (i.e. the DNS queries came in with spoofed source addresses).  The 
> responses cause your IP reputation to suffer - and burn outbound bandwidth.

Most of the time the problem is not bandwidth, but a query pattern which 
bypasses caches (dnsdist, pdns-packet-cache, pdns-query-chache) and 
hence causes load on the backend. If the backend is mysql or postgres 
this massively hurts and easily overloads the server (CPU, io-wait)

>>
>> Also if the source IP is random, you can not block a source-IP after 
>> too many NXDOMAINs.
> 
> That is true, but:
> 
> 1. In that case, how would you propose dealing with random source IPs? 
> That is: how could you tell the difference between a valid query which 
> demands an NXDOMAIN response, mixed in with the "attacking" queries?

Indeed, that's why I do not use filters which evalute the source IP.

> 2. Why would someone send you lots of queries with *random* source IPs? 
> Have you analyzed them, are you sure they're random? An attacker would 
> normally put a victim's IP in the source, or a small set of victim 
> source IPs.  Sending truly random source IPs wouldn't achieve very much, 
> apart from wasting your resources (and theirs).

I do not know. Attackers try to walk the zone to find potential 
vulnerable services. Or maybe DDoS attacks on resolvers which also hurts 
the authoritative servers, or DDoS on authoritative. I do not know - I 
only see such queries also on our authoritative servers - and they can 
hurt massively.

regards
Klaus

More information about the Pdns-users mailing list