Hi Remi, Thanks for the awesome example.
In your example, 80% of Servfail answers over the last 60s, with a minimum of 10 answers will trigger fallback on TCP. Can you explain the "minimum of 10 answers during that time to reduce the risk of false-positive" part? Does it mean a minimum of 10 queries within that window, should be SERVFAIL? The dynamic rule can also use DNSAction.Pool instead of DNSAction.Truncate. How do I make use of the Pool? This way I could redirect them to a separate server. Thanks for your help, AH ________________________________ From: dnsdist <[email protected]> on behalf of Remi Gacogne via dnsdist <[email protected]> Sent: Monday, April 4, 2022 10:30 AM To: [email protected] <[email protected]> Subject: Re: [dnsdist] [EXT] Re: How to best handle DNS floods Hi, On 03/04/2022 10:42, me aharen wrote: > Thanks for the input. Yes, we have legit customers participating in the > PRSD floods. Understood. > Setting the DynBlockRulesGroup:setRCodeRatio is interesting, can you > share a sample config of this rule? I cannot find any example in the documentation, which I really should fix, but we have a small example in our regression tests: https://github.com/PowerDNS/pdns/blob/790f18878013eda17abb3fd5b0bc03cb87554c79/regression-tests.dnsdist/test_DynBlocks.py#L942 Basically to block for 120s any client that had say, more than 80% of Servfail answers over the last 60s, with a minimum of 10 answers during that time to reduce the risk of false positive, you would do: local dbr = dynBlockRulesGroup() dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio", 120, 10) function maintenance() dbr:apply() end If you wanted to tell these clients to try again over TCP instead: local dbr = dynBlockRulesGroup() dbr:setRCodeRatio(DNSRCode.SERVFAIL, 0.8, 60, "Exceeded servfail ratio", 120, 10, DNSAction.Truncate) function maintenance() dbr:apply() end > Regarding the professional service, whom should I contact to get pricing > details? The easiest option is likely to go to https://www.open-xchange.com/products/dnsdist/?hsLang=en and click "Contact OX", and someone from our team should get back to you quickly. Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________ dnsdist mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/dnsdist
