[Pdns-users] multi dns server
Jacob Bunk Nielsen
jacob at bunknielsen.dk
Fri Oct 20 14:29:02 UTC 2023
Steffan via Pdns-users <pdns-users at mailman.powerdns.com> writes:
> Well the problem was a small attack targeting a lot of subdomains of a client.
>
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 117.54.16.252 wants 'payments.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a02:2f0e:5fff:ffff::2 wants 'skyline.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a04:c602:409:fe::27 wants 'app3.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS
This is know as a pseudo random subdomain attack, often abbreviated PRSD.
> I forgot on that time that I had logging on. So it could be that without the logging the dns would be fast enough to handle it
Turning off logging will definitely help.
The standard approach for users of PowerDNS software to address DNS
based attacks is to install dnsdist at put that in front of PowerDNS.
Using dnsdist you can inspect queries that are coming, create query rate
limits and specific mitigation rules in case of an attack.
Another approach often used by larger installations is to utilize
anycast to have multiple servers announcing the same DNS server IPs from
multiple geographical locations. This is how e.g. 1.1.1.1 and 8.8.8.8
works.
Best regards,
Jacob
More information about the Pdns-users
mailing list