[Pdns-users] DDoS attack with random A requests causes SQL backend overload

Peter van Dijk peter.van.dijk at powerdns.com
Fri Jul 16 19:21:48 UTC 2021

On Fri, 2021-07-16 at 12:08 +0200, Thomas Mieslinger via Pdns-users
> Suggestions from older threads (Klaus Darrilon):
> - Put that zone in a more efficent Backend (he suggested lmdb)

Good idea.

> - Put that zone in a more efficent Software (he suggested nsd) and use
> dnsdist to route the traffic to the alternate Software

Also a good idea.

> Very old suggestion:
> - Use a firewall uint32 match to lock out queries to the attacked zone.

Should work, bit more work to manage.

> Crazy idea:
> - enable DNSSec on that zone
> - setup pdns recursor or similar add delegate the zone to it
> - pdns-recursor should now be able to efficiently calculate the
> NXDOMAINs based on NSEC/NSEC3 information

Recursor can do that, but it cannot serve the zone to the world. It is
not an Authoritative server.

So, sadly, this suggestion does not work.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the Pdns-users mailing list