Re: [dnsdist] DOS configurations

Tue, 28 Nov 2023 20:22:14 -0800 

Hi Eric,
We are using following DOS protection configuration on dnsdist. We are using it for our DNS resolvers, but you can change it as per your requirement for authoritative servers. 


This is a dynamic blocklist where we are protecting against very high 
QPS from specific clients, or high rate for specific query types (like 
ANY). You can also exclude certain IPs/networks from this blocklist.




-- Generate a warning if we detect a query rate above 100 qps for at 
least 20s.
-- If the query rate raises above 300 qps for 20s, we'll block the 
client for 60s.

-- If the NXD query rate increase above 20 for 20s block for 60s
-- If the ANY query rate increase above 20 for 20s block for 60s

local dbr = dynBlockRulesGroup()
dbr:setQueryRate(300, 20, "Exceeded query rate", 60, DNSAction.Drop, 100)
dbr:setRCodeRate(DNSRCode.NXDOMAIN, 20, 20, "Exceeded NXD rate", 60)
dbr:setRCodeRate(DNSRCode.SERVFAIL, 20, 20, "Exceeded ServFail rate", 60)
dbr:setQTypeRate(DNSQType.ANY, 20, 20, "Exceeded ANY rate", 60)
dbr:excludeRange({"192.168.48.0/24", "192.168.188.0/24"})

function maintenance()
dbr:apply()
end

Regards
*Jahanzeb Arshad*

On 28/11/23 21:15, Eric Merkel via dnsdist wrote:

Hello all,


I am a dnsdist noob here seeking some advice. I have set up and am 
testing dnsdist in the following configuration.



4 geographically diverse dnsdist servers load balancing 4 
authoritative backend servers for around 30,000 domains/zones.



I understand how to set up an Abuse pool to handle clients that reach 
a certain number of QPS. What I am looking for are some other example 
configurations or best practices to help deal with DOS attacks that 
other users have experienced in the past.



My goal is to put some basic safeguards in place before we experience 
an attack rather than scrambling to figure out something quickly while 
an attack is occurring.


Any advice or sample configurations etc would be much appreciated!

Best regards,
Eric



_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist






















					Reply via email to