Hi Mark, That would work if it's a single known domain. The thing is domains are random and change periodically.
Currently, I have an RPZ configured to handle known domains. The other way I could think of is to log all SERVFAIL to a file, and with some cli-wizardry inject a rule for that domain using a "dnsdist -e 'addAction( RegexRule( "<domain>" ), DropAction())'". Continuously collecting logs would be taxing on IO yes. Regards AH ________________________________ From: dnsdist <dnsdist-boun...@mailman.powerdns.com> on behalf of Mark Moseley via dnsdist <dnsdist@mailman.powerdns.com> Sent: Thursday, March 31, 2022 6:56 PM Cc: dnsdist@mailman.powerdns.com <dnsdist@mailman.powerdns.com> Subject: Re: [dnsdist] How to best handle DNS floods Would this do the trick: addAction( RegexRule( "\\.shopify\\.sh\\.cn$" ), DropAction() ) ? I'm assuming that you don't actually have any legit queries for that subdomain, which might not be the case (and thus disrupt users' legit queries). On Thu, Mar 31, 2022 at 2:00 AM me aharen via dnsdist <dnsdist@mailman.powerdns.com<mailto:dnsdist@mailman.powerdns.com>> wrote: Hello there, I am in a situation where my dnsdist server is being flooding with random DNS quieies like seen below: zvbi2raw.shopify.sh.cn<http://zvbi2raw.shopify.sh.cn>. zuqiuzhibonow.shopify.sh.cn<http://zuqiuzhibonow.shopify.sh.cn>. zypb-pjqr.shopify.sh.cn<http://zypb-pjqr.shopify.sh.cn>. zuul-data.shopify.sh.cn<http://zuul-data.shopify.sh.cn>. zwingscloud.shopify.sh.cn<http://zwingscloud.shopify.sh.cn>. zuqiuzhoukan00.shopify.sh.cn<http://zuqiuzhoukan00.shopify.sh.cn>. zysd.shopify.sh.cn<http://zysd.shopify.sh.cn>. zzmtwvncx.shopify.sh.cn<http://zzmtwvncx.shopify.sh.cn>. zvit.shopify.sh.cn<http://zvit.shopify.sh.cn>. These floods generate large SERVFAIL responses and would like to minimize or best handle this. On the cache config, I have enabled temporaryFailureTTL to 3600 and staleTTL to 3600. And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), DropAction())" - although I am uncertain if this works as I think it would. I do have another QPS rule, "addAction(MaxQPSIPRule(50), PoolAction("abuse"))", to redirect the flooders. The only thing I can't do is apply any delay or drop action which would disrupt the user's legit queries. Using Dynamic Rule is interesting, but it blocks queries once the "exceedServFails" exceeds, blocks legit queries for /32 - which is disruptive. Any pointers? Thanks, AH _______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com<mailto:dnsdist@mailman.powerdns.com> https://mailman.powerdns.com/mailman/listinfo/dnsdist
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
