Re: [Pdns-users] Rate-Limit for NXDOMAIN

Sat, 04 May 2019 14:32:10 -0700 

Hi Brian!

Am 30.04.2019 um 15:37 schrieb Brian Candler:

On 29/04/2019 22:14, Klaus Darilion wrote:
Can you give an example how those dynblockrules can be used to filter above "attack"? The main problem with rate-limiting NXDOMAIN is, that you need to ask the authoritative to get a response and check if it is NXDOMAIN. Then, dropping the response is actually no help as the authoritative still gets the query load. 


In the normal case, suppressing responses may be a good thing to do, if 
the actual problem is that the DNS responses are part of a DoS attack 
(i.e. the DNS queries came in with spoofed source addresses).  The 
responses cause your IP reputation to suffer - and burn outbound bandwidth.



Most of the time the problem is not bandwidth, but a query pattern which 
bypasses caches (dnsdist, pdns-packet-cache, pdns-query-chache) and 
hence causes load on the backend. If the backend is mysql or postgres 
this massively hurts and easily overloads the server (CPU, io-wait)





Also if the source IP is random, you can not block a source-IP after 
too many NXDOMAINs.


That is true, but:


1. In that case, how would you propose dealing with random source IPs? 
That is: how could you tell the difference between a valid query which 
demands an NXDOMAIN response, mixed in with the "attacking" queries?


Indeed, that's why I do not use filters which evalute the source IP.


2. Why would someone send you lots of queries with *random* source IPs? 
Have you analyzed them, are you sure they're random? An attacker would 
normally put a victim's IP in the source, or a small set of victim 
source IPs.  Sending truly random source IPs wouldn't achieve very much, 
apart from wasting your resources (and theirs).



I do not know. Attackers try to walk the zone to find potential 
vulnerable services. Or maybe DDoS attacks on resolvers which also hurts 
the authoritative servers, or DDoS on authoritative. I do not know - I 
only see such queries also on our authoritative servers - and they can 
hurt massively.


regards
Klaus
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to