Indeed - I only wanted to comment on the rate limiting. It is not that I
argue against rate limiting, but that admins should be aware when it
actually helps, and when not. Sorry, when my email seemed a bit harshly.
We also used rate limiting with dnsdist, but due to the mentioned
problems we switched to high performance backends for the zones which
are under constant attack.
regards
Klaus
Am 02.04.2020 um 13:22 schrieb Frank Louwers:
That's very selective cutting of my sentence Klaus....
On 2 Apr 2020, at 13:09, Klaus Darilion <klaus.mailingli...@pernau.at
<mailto:klaus.mailingli...@pernau.at>> wrote:
Am 02.04.2020 um 09:15 schrieb Frank Louwers:
dnsdist allows you to do general ratelimiting/blocking
Ratelimiting is often not the correct choice.
If the source IP is random (which is usually the case with spoofed
source IP addresses), a rate limiting based on source IP is not useful.
If the query-name is random (which is usually the case with spoofed
source IP addresses), a rate limiting based on qname is not useful.
If the qname is always the same, or at least within the same zone, you
could do rate limiting for that zone, but this limits all queries,
attack queries and legitim queries. Hence, you create a DoS for that
zone, but at least avoid collateral damage to other zones hosted on
that name server.
So my advice: use a name server which can fill your upstream bandwith
(NSD, Knot ...). And for volumetric attacks use a commercial DDoS
mitigation provider which filters your traffic (ie. buy the service
from your ISP or from a remote DDoS mitigation provider which
announces your prefixes on demand.)
regards
Klaus
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
<mailto:dns-operations@lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
