[Pdns-users] DDoS attack with random A requests causes SQL backend overload

Thomas Mieslinger miesi at mail.com
Fri Jul 16 10:08:28 UTC 2021


Suggestions from older threads (Klaus Darrilon):
- Put that zone in a more efficent Backend (he suggested lmdb)
- Put that zone in a more efficent Software (he suggested nsd) and use
dnsdist to route the traffic to the alternate Software

Very old suggestion:
- Use a firewall uint32 match to lock out queries to the attacked zone.

Crazy idea:
- enable DNSSec on that zone
- setup pdns recursor or similar add delegate the zone to it
- pdns-recursor should now be able to efficiently calculate the
NXDOMAINs based on NSEC/NSEC3 information


Cheers

Am 16.07.21 um 11:33 schrieb David Porter via Pdns-users:
> Hello,
>
> We have received a DDoS attack on our powerdns infrastructure.
> The DNS requests were all non-existing records in 1 single zone.
>
> Eg:
>    ghz2.mydomain.com
>    cdzx.mydomain.ocom
>    hh3r.mydomain.com
>
> The result was that the SQL backend was overloaded with these queries
> and caused some of our servers not to respond to legitimate queries.
> See here an example from the SQL log:
>
> 2021-07-13T14:50:43.459635Z      3061 Reset stmt
> 2021-07-13T14:50:43.463172Z      3059 Execute   SELECT
> content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and name='gzh1.mydomain.com' and domain_id=1280
> 2021-07-13T14:50:43.463989Z      3059 Reset stmt
> 2021-07-13T14:50:43.468001Z      3060 Execute   SELECT
> content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and name='cdzx.mydomain.com' and domain_id=1280
> 2021-07-13T14:50:43.468822Z      3060 Reset stmt
> 2021-07-13T14:50:43.471102Z      3061 Execute   SELECT
> content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and name='cvqi.mydomain.com' and domain_id=1280
> 2021-07-13T14:50:43.472178Z      3061 Reset stmt
> 2021-07-13T14:50:43.474985Z      3059 Execute   SELECT
> content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and name='hh3r.mydomain.com' and domain_id=1280
> 2021-07-13T14:50:43.475371Z      3059 Reset stmt
> 2021-07-13T14:50:43.478971Z      3060 Execute   SELECT
> content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and name='9jv9.mydomain.com' and domain_id=1280
> 2021-07-13T14:50:43.479399Z      3060 Reset stmt
> 2021-07-13T14:50:43.483063Z      3061 Execute   SELECT
> content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and name='boxl.mydomain.com' and domain_id=1280
> 2021-07-13T14:50:43.483457Z      3061 Reset stmt
>
> The new zone cache feature is only caching the "domains" table, it's not
> caching the each record in the backend.
>
> Is there any way how we can ensure that powerdns is caching a complete
> zone in case we are encountering a random generated dns attack on our
> authorative DNS servers?
>
> Thank you,
>
> David
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>


More information about the Pdns-users mailing list