[Pdns-users] Rate-Limit for NXDOMAIN

Klaus Darilion klaus.mailinglists at pernau.at
Sat May 4 21:37:40 UTC 2019


Hi Bart!

Am 30.04.2019 um 16:31 schrieb powerdns at bart.bim.be:
> 
>> In the normal case, suppressing responses may be a good thing to do, 
>> if the actual problem is that the DNS responses are part of a DoS 
>> attack (i.e. the DNS queries came in with spoofed source addresses). 
>> The responses cause your IP reputation to suffer - and burn outbound 
>> bandwidth.
> 
> 
> If the attack is being carried out via a valid recursor DNS, then not 
> responding at all, will cause the recursor to try all your nameservers 
> before giving up. This multiplies the incoming traffic you would 
> normally receive on one server, times the number of visible nameservers 
> you have. Unless you're sure traffic doesn't come in via a recursor, 
> then it's probably better to respond.
> 
> 
> Are you using PowerDNS with a MySQL backend? In that case, the fact that 
> every single request needs to be checked in the database is your 
> bottleneck. If you can prevent this from happening, then you'll notice 
> that your server is capable of responding to a much larger amount of 
> requests without much of a hassle.
> 
> 
> Changing the backend could be an option.

I though about loading the bind Backend and semi-automated export the 
"attacke" zone (and all subzones) from the SQL backend to the bind 
backend. Then, patch PDNS to not check all backends for the best zone 
match (getSOA() lookups) but stop if a zone is found in the first 
backend. The bind backend should be easily cope with such traffic patterns.

> Or, as was earlier pointed out, by setting up dnsdist with rules that 
> would whitelist all existing records and make it respond with NXDOMAIN 
> to all non-existing records.

Wildcards in the zone may prevent above trick.

> If the "random" request do show some sort of pattern which could enable 
> you to create a regular expression to find them, then this would be a 
> simple solution. Let's say that the random requests most often contain a 
> number while your real subdomains never have a number:
> 
> addAction(RegexRule("[a-z]*[0-9]+[a-z]*\\.example.org$"), RCodeAction(3))

Indeed, that may work with and may reduce the number if needed whitelist 
entries.

> With more complicated regular expressions, you can achieve more. And if 
> this only blocks 90% of them without having to look them up in the DB, 
> then at least you're already doing that.

True.

Klaus



More information about the Pdns-users mailing list