Re: [dnsdist] How to apply dynamic rules with pools?
Ooops.. managed to do a direct reply, instead of to the ML, but Remi beat me to it: I don’t think the full time has to elapse before it’s evaluated, as long as your QPS is guaranteed to exceed the limit within the given timeframe. So e.g. if you allow 1 RPS per 10 second, doing 11RPS in the first second, should still trigger the block (after all the 11/10 is above 1). At least that’s how I’d expect it to work. The average for the time has to be exceeded. So a flood should often trigger quicker than the full elapsed time. Would be so nice if reply-to was set to the ML email 😅 On 24 Feb 2022, at 00:20, Willis, Michael via dnsdist mailto:dnsdist@mailman.powerdns.com>> wrote: Hello Remi, Thank you for the quick response! I had really just set the "ANY" trigger really low so that it would invoke, and I could verify that the rules were applying. If I update it with the dbr rule you provided, it does indeed create a block after the first request. (yay). I changed the to rule to: dbr:setQTypeRate(DNSQType.ANY, 1, 10, "Exceeded ANY rate", 600) After testing It looks like the entire 10 seconds needed to elapse before the rule is evaluated. I was not expecting this logic, and that was tripping me up. I was thinking that the rules were not applying at all. I definitely want to enable sensible rules for an auth server with 2500 zones and an average of 14k'ish QPS. Thank you very much for your time! -Mike Willis From: dnsdist mailto:dnsdist-boun...@mailman.powerdns.com>> on behalf of Remi Gacogne via dnsdist mailto:dnsdist@mailman.powerdns.com>> Sent: Wednesday, February 23, 2022 10:59 AM To: dnsdist@mailman.powerdns.com<mailto:dnsdist@mailman.powerdns.com> mailto:dnsdist@mailman.powerdns.com>> Subject: Re: [dnsdist] How to apply dynamic rules with pools? Hi Mike, On 23/02/2022 16:49, Willis, Michael via dnsdist wrote: > I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so > it will trigger and stay triggered. > This is so I can verify the correct rule is applying. > dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600) This rule is saying "block, for 600 seconds, clients that have been sending more than one ANY query per second over the last 100 seconds", so one query is not going to be enough to trigger the block. You could try this one instead: dbr:setQTypeRate(DNSQType.ANY, 0, 1, "Exceeded ANY rate", 600) This will block any client that has been sending more than 0 ANY query per second over the last second. In my test this results in getting blocked right away after sending your first ANY query. I'm not sure I would recommend such a drastic rule, but that's a different matter :) Hope that helps, -- Remi Gacogne PowerDNS.COM<http://PowerDNS.COM> BV - https://www.powerdns.com/ ___ dnsdist mailing list dnsdist@mailman.powerdns.com<mailto:dnsdist@mailman.powerdns.com> https://mailman.powerdns.com/mailman/listinfo/dnsdist ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] How to apply dynamic rules with pools?
Hello Remi, Thank you for the quick response! I had really just set the "ANY" trigger really low so that it would invoke, and I could verify that the rules were applying. If I update it with the dbr rule you provided, it does indeed create a block after the first request. (yay). I changed the to rule to: dbr:setQTypeRate(DNSQType.ANY, 1, 10, "Exceeded ANY rate", 600) After testing It looks like the entire 10 seconds needed to elapse before the rule is evaluated. I was not expecting this logic, and that was tripping me up. I was thinking that the rules were not applying at all. I definitely want to enable sensible rules for an auth server with 2500 zones and an average of 14k'ish QPS. Thank you very much for your time! -Mike Willis From: dnsdist on behalf of Remi Gacogne via dnsdist Sent: Wednesday, February 23, 2022 10:59 AM To: dnsdist@mailman.powerdns.com Subject: Re: [dnsdist] How to apply dynamic rules with pools? Hi Mike, On 23/02/2022 16:49, Willis, Michael via dnsdist wrote: > I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so > it will trigger and stay triggered. > This is so I can verify the correct rule is applying. > dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600) This rule is saying "block, for 600 seconds, clients that have been sending more than one ANY query per second over the last 100 seconds", so one query is not going to be enough to trigger the block. You could try this one instead: dbr:setQTypeRate(DNSQType.ANY, 0, 1, "Exceeded ANY rate", 600) This will block any client that has been sending more than 0 ANY query per second over the last second. In my test this results in getting blocked right away after sending your first ANY query. I'm not sure I would recommend such a drastic rule, but that's a different matter :) Hope that helps, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
Re: [dnsdist] How to apply dynamic rules with pools?
Hi Mike, On 23/02/2022 16:49, Willis, Michael via dnsdist wrote: I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so it will trigger and stay triggered. This is so I can verify the correct rule is applying. dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600) This rule is saying "block, for 600 seconds, clients that have been sending more than one ANY query per second over the last 100 seconds", so one query is not going to be enough to trigger the block. You could try this one instead: dbr:setQTypeRate(DNSQType.ANY, 0, 1, "Exceeded ANY rate", 600) This will block any client that has been sending more than 0 ANY query per second over the last second. In my test this results in getting blocked right away after sending your first ANY query. I'm not sure I would recommend such a drastic rule, but that's a different matter :) Hope that helps, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ OpenPGP_signature Description: OpenPGP digital signature ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
[dnsdist] How to apply dynamic rules with pools?
Ok, so here we go. I'm new to mailing lists, and have only used dnsdist for the most basic functions in the past. I am now trying to use it as an anti-ddos measure in authoritative DNS for an ISP. I can't seem to figure out how to make the dynmic rules apply. I was thinking I require some sort of add action or a pool definition somewhere. I have intentionally set the trigger for "ANY" to 1 ever 100 seconds, so it will trigger and stay triggered. This is so I can verify the correct rule is applying. It would be very helpful to recieve some insight as to why the maintenance function/dynrules don't seem to apply? Thanks! -Mike Willis ### Red Hat Enterprise Linux release 8.5 (Ootpa) Linux dnsdist01 4.18.0-348.12.2.el8_5.x86_64 #1 SMP Mon Jan 17 07:06:06 EST 2022 x86_64 x86_64 x86_64 GNU/Linux 4x cores 8GB memory virtual machine 2 nics (DMZ192/Public224) ### -- DNSdist ns1 -- Mike Willis 2-17-2022 Set encrypton key for console--- setKey("redacted") controlSocket('127.0.0.1:5199') - Local binds for DNS and ACLs --ns1 public setLocal("10.50.50.41:53") --- --setACL({'0.0.0.0/0', '::/0'}) - ---Performance Tuning --- --setRingBuffersSize(num[, numberOfShards]) setRingBuffersSize(50,10) Dynamic blocking rules to mitigate abuse - --I'm not sure where to invoke, or apply these to a pool local dbr = dynBlockRulesGroup() dbr:setQueryRate(100, 10, "Exceeded query rate", 60) dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 10, "Exceeded NXD rate", 60) dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 10, "Exceeded ServFail rate", 60) dbr:setQTypeRate(DNSQType.ANY, 1, 100, "Exceeded ANY rate", 600) dbr:setResponseByteRate(2, 10, "Exceeded resp BW rate", 60) function maintenance() dbr:apply() end --NOTE: Rules are processed in order, and some rules stop processing of additional rules --IE: Some rules should be the last to run for a given flow. - Logging -- ---This should be turned off in prod --- --LogAction([filename[, binary[, append[, buffered[, verboseOnly[, includeTimestamp]]) --Note will not work if buffering is true addAction(AllRule(), LogAction("/var/log/dnsdist.log", false, true, false, false, true)) - - Pool Availability rules and failover -- --Send traffic to ns1 if it is up addAction(PoolAvailableRule("ns1"), PoolAction("ns1")) --Send traffic to ns2 if ns1 is down addAction(AllRule(), PoolAction("ns2")) --- Load balanced servers and pool definitions --- --ns1 --intentionally broken for testing failover newServer({address="127.0.0.2", source="ens224", pool="ns1"}) --ns2 will be across a wan newServer({address="9.9.9.9", source="ens224", pool="ns2"}) - dig @10.50.50.41 -tany dnsdist.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> @10.50.50.41 -tany dnsdist.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10952 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;dnsdist.org. IN ANY ;; ANSWER SECTION: dnsdist.org.43193 IN NS pdns-public-ns1.powerdns.com. dnsdist.org.3593IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020080301 10800 3600 604800 10800 dnsdist.org.43193 IN NS pdns-public-ns2.powerdns.com. dnsdist.org.43193 IN A 188.166.104.92 dnsdist.org.43193 IN 2a03:b0c0:2:d0::4ab:8001 ;; Query time: 48 msec ;; SERVER: 10.50.50.41#53(10.50.50.41) ;; WHEN: Wed Feb 23 10:38:03 EST 2022 ;; MSG SIZE rcvd: 205 [root@dnsdist01 dnsdist]# dnsdist -c > showDynBlocks() What Seconds Blocks WarningAction Reason > ___ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist