Ok, so here we go. I'm new to mailing lists, and have only used dnsdist for the
most basic functions in the past.
I am now trying to use it as an anti-ddos measure in authoritative DNS for an
ISP.
I can't seem to figure out how to make the dynmic rules apply. I was thinking I
require some sort of add action or a pool definition somewhere.
I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so it
will trigger and stay triggered.
This is so I can verify the correct rule is applying.
It would be very helpful to recieve some insight as to why the maintenance
function/dynrules don't seem to apply?
Thanks!
-Mike Willis
###########################
Red Hat Enterprise Linux release 8.5 (Ootpa)
Linux dnsdist01 4.18.0-348.12.2.el8_5.x86_64 #1 SMP Mon Jan 17 07:06:06 EST
2022 x86_64 x86_64 x86_64 GNU/Linux
4x cores
8GB memory
virtual machine
2 nics (DMZ192/Public224)
###########################
-- DNSdist ns1
-- Mike Willis 2-17-2022
----Set encrypton key for console-----------------------
setKey("redacted")
controlSocket('127.0.0.1:5199')
----- Local binds for DNS and ACLs --------------------
--ns1 public
setLocal("10.50.50.41:53")
-------------------------------------------------------
--setACL({'0.0.0.0/0', '::/0'})
-----------------------------------------------------
---Performance Tuning -------------------------------
--setRingBuffersSize(num[, numberOfShards])
setRingBuffersSize(500000,10)
----Dynamic blocking rules to mitigate abuse -----
--I'm not sure where to invoke, or apply these to a pool
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(100, 10, "Exceeded query rate", 60)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600)
dbr:setResponseByteRate(20000, 10, "Exceeded resp BW rate", 60)
function maintenance()
dbr:apply()
end
--NOTE: Rules are processed in order, and some rules stop processing of
additional rules
--IE: Some rules should be the last to run for a given flow.
----------------- Logging ----------------------
---This should be turned off in prod ---
--LogAction([filename[, binary[, append[, buffered[, verboseOnly[,
includeTimestamp]]]]]])
--Note will not work if buffering is true
addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false,
false, true))
-------------------------------------------------
----- Pool Availability rules and failover ------
--Send traffic to ns1 if it is up
addAction(PoolAvailableRule("ns1"), PoolAction("ns1"))
--Send traffic to ns2 if ns1 is down
addAction(AllRule(), PoolAction("ns2"))
------------------------------------------------
----------- Load balanced servers and pool definitions ---------------
--ns1
--intentionally broken for testing failover
newServer({address="127.0.0.2", source="ens224", pool="ns1"})
--ns2 will be across a wan
newServer({address="9.9.9.9", source="ens224", pool="ns2"})
---------------------------------------------------------------------
############################################
dig @10.50.50.41 -tany dnsdist.org
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> @10.50.50.41 -tany dnsdist.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10952
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnsdist.org. IN ANY
;; ANSWER SECTION:
dnsdist.org. 43193 IN NS pdns-public-ns1.powerdns.com.
dnsdist.org. 3593 IN SOA pdns-public-ns1.powerdns.com.
pieter\.lexis.powerdns.com. 2020080301 10800 3600 604800 10800
dnsdist.org. 43193 IN NS pdns-public-ns2.powerdns.com.
dnsdist.org. 43193 IN A 188.166.104.92
dnsdist.org. 43193 IN AAAA 2a03:b0c0:2:d0::4ab:8001
;; Query time: 48 msec
;; SERVER: 10.50.50.41#53(10.50.50.41)
;; WHEN: Wed Feb 23 10:38:03 EST 2022
;; MSG SIZE rcvd: 205
[root@dnsdist01 dnsdist]# dnsdist -c
> showDynBlocks()
What Seconds Blocks Warning Action
Reason
>
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
