Remi, Thanks for the input. Yes, we have legit customers participating in the PRSD floods.
Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you share a sample config of this rule? Regarding the professional service, whom should I contact to get pricing details? Thanks AH ________________________________ From: dnsdist <dnsdist-boun...@mailman.powerdns.com> on behalf of Remi Gacogne via dnsdist <dnsdist@mailman.powerdns.com> Sent: Friday, April 1, 2022 8:12 AM To: dnsdist@mailman.powerdns.com <dnsdist@mailman.powerdns.com> Subject: Re: [dnsdist] How to best handle DNS floods Hi, On 31/03/2022 10:59, me aharen via dnsdist wrote: > And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), > DropAction())" - although I am uncertain if this works as I think it would. This will not work as expected, as this rule is going to drop queries with a response code set to ServFail, not responses. If you want to drop responses instead, which I'm not sure is a very good idea, you need to do: addResponseAction(RCodeRule(DNSRCode.SERVFAIL), DropResponseAction()) > I do have another QPS rule, "addAction(MaxQPSIPRule(50), > PoolAction("abuse"))", to redirect the flooders. > > The only thing I can't do is apply any delay or drop action which would > disrupt the user's legit queries. So you have legitimate clients that take part in these DNS floods? Or are you concerned about false positive? > Using Dynamic Rule is interesting, but it blocks queries once the > "exceedServFails" exceeds, blocks legit queries for /32 - which is > disruptive. You could use DynBlockRulesGroup:setRCodeRate() [1] to send a truncated answer to blocked clients instead of dropping their queries, so regular clients can retry over TCP. DynBlockRulesGroup:setRCodeRatio() [2] might even be better as it allows you to only block if the ratio of ServFail answers among all answers sent to a given client reaches a threshold. If you are using a recent enough Linux kernel, it is even possible to do that with XDP for much better performance, see [3]. Note that it is also possible to use dnsdist to detect and block such PRSD attacks, with specific Lua scripts leveraging the ring buffers and dynamic blocks. Guidance and support for writing these scripts can be provided as part of our commercial solutions which include access to professional services. [1]: https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRate [2]: https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRatio [3]: https://github.com/PowerDNS/pdns/pull/10498 Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist