[Pdns-users] DNSBomb

Otto Moerbeek otto at drijf.net
Mon Jun 3 12:06:24 UTC 2024


On Mon, Jun 03, 2024 at 11:23:59AM +0000, Kilian Ries via Pdns-users wrote:

> Hi,
> 
> 
> i think you may have all heared about DNSBomb attacks:
> 
> 
> https://www.isc.org/blogs/2024-dnsbomb/
> 
> 
> Are there any recommended settings for auth or dnsdist for mitigation such attacks?
> 
> 
> Thanks
> 
> Regards,
> 
> Kilian

Hi,

The DNSBomb attack uses specially crafted auths to trigger a
aggregation mechanism in resolvers (in pdns recursor that is called
"chaining") to send their accumulated answers in a very short
time, resulting in a traffic spike from the resolver that might impact
clients.

In PowerDNS Recursor, the natural limit of aggregation is
mex-mthreads, so there's already a limit in place. The relative short
time (compared to other resolvers) a client request may take and the
time we are willing to wait for an auth's answer also plays a role to
furter mitigate DNSBomb.

When using dnsdist before a recursor, you could apply client rate limiting
to further protect against this and similar attacks. Some will argue
that you should already have that in place, esepcially if you run a
public resolver.

Auths are not subjected to this attack, other than that specially
crafted aiuths are used to perform the attack.

The upcoming Recursor 5.1.0, wil have some further improvements to
handle auths that are slow to answer in an improved way. This was
developed while studying th impact of DNSBomb on PowerDNS Recursor.

	-Otto


More information about the Pdns-users mailing list