[Pdns-users] Rate-Limit for NXDOMAIN
klaus.mailinglists at pernau.at
Sat May 4 21:31:24 UTC 2019
Am 30.04.2019 um 15:37 schrieb Brian Candler:
> On 29/04/2019 22:14, Klaus Darilion wrote:
>> Can you give an example how those dynblockrules can be used to filter
>> above "attack"? The main problem with rate-limiting NXDOMAIN is, that
>> you need to ask the authoritative to get a response and check if it is
>> NXDOMAIN. Then, dropping the response is actually no help as the
>> authoritative still gets the query load.
> In the normal case, suppressing responses may be a good thing to do, if
> the actual problem is that the DNS responses are part of a DoS attack
> (i.e. the DNS queries came in with spoofed source addresses). The
> responses cause your IP reputation to suffer - and burn outbound bandwidth.
Most of the time the problem is not bandwidth, but a query pattern which
bypasses caches (dnsdist, pdns-packet-cache, pdns-query-chache) and
hence causes load on the backend. If the backend is mysql or postgres
this massively hurts and easily overloads the server (CPU, io-wait)
>> Also if the source IP is random, you can not block a source-IP after
>> too many NXDOMAINs.
> That is true, but:
> 1. In that case, how would you propose dealing with random source IPs?
> That is: how could you tell the difference between a valid query which
> demands an NXDOMAIN response, mixed in with the "attacking" queries?
Indeed, that's why I do not use filters which evalute the source IP.
> 2. Why would someone send you lots of queries with *random* source IPs?
> Have you analyzed them, are you sure they're random? An attacker would
> normally put a victim's IP in the source, or a small set of victim
> source IPs. Sending truly random source IPs wouldn't achieve very much,
> apart from wasting your resources (and theirs).
I do not know. Attackers try to walk the zone to find potential
vulnerable services. Or maybe DDoS attacks on resolvers which also hurts
the authoritative servers, or DDoS on authoritative. I do not know - I
only see such queries also on our authoritative servers - and they can
More information about the Pdns-users