Hi Stephan, On 11/8/21 13:03, De Webmakers (Stephan) via dnsdist wrote:
We recently experienced a DDoS on our nameservers.We are now looking to (help) prevent this in the future and since we are using powerDNS we came across dnsdist.We analyzed the DDoS requests and the requests came from different (probably spoofed) IP’s.For example x.y.z.1 and then x.y.x.2 etc. The requested domain was the same every time with a different subdomain. For example a.example.com and then b.example.com.Would it be possible for dnsdist to limit requests per domain instead of per IP?So if there are more then 10 requests for *.example.com in a second (or something) the requests for that entire domain (example.com) are dropped for 60 seconds (or more).
The building blocks to detect and mitigate PRSD attacks are there, from the information in the ring buffers about recent queries and responses to dynamic block rules, but that requires writing quite a bit of Lua to tailor the behaviour to your needs. Our professional services have done that work for several customers already.
It is also possible to do more simple rate-limiting per domain using a SuffixMatchNodeRule [1] (which is much more efficient than a regular expression) combined with a MaxQPSRule [2], for example.
[1]: https://dnsdist.org/rules-actions.html#SuffixMatchNodeRule [2]: https://dnsdist.org/rules-actions.html#MaxQPSRule Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
