Hi Stephane,
thanks for sharing this
we run public encrypted DNS resolver services
and are seeing the same.
Some properties of these queries as we see them:
* all of them are for . NS
* all of them share the same non-zero DNS transaction ID
* all of these requests reach us via DoH, not via DoT or other transports
* all of them originate from a single ASN
* over ~95% reach us via IPv6
* dnsdist memory usage increased by 110% - also with the rule shown below
We are trying to deal with this for now with this rule:
addAction(AndRule({QTypeRule(DNSQType.NS),QNameRule("."),NetmaskGroupRule(<source
prefix>)}),DropAction(),{name="drop_root_qname_NS_from_ASN..."})
but apparently it doesn't actually help to reduce the load on our
dnsdist frontends as measured via dnsdist_cpu_sys_msec
maybe the rule processing even adds more load on dnsdist so depending on
what you want to protect (dnsdist vs. recursor) this isn't actually a
recommendation.
Feel free to reach out off-list if you want to share more.
best regards,
Christoph
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
