Hi all, I'm wondering if anyone has suggestions of reasonable ways to handle this type of abusive traffic with dnsdist.
We've had on and off attacks recently targeting legitimate domains delegated to our authoritative service flooding queries for random subdomains of varying length and characters/words. i.e. 12345.example.com, fred.example.com, abc178371jd.example.com, where example.com is a different domain we're authoritative for each attack. The dnsdist nodes can handle the traffic, but breaking cache and going through to our backends is having more of an impact. We have thousands of domains, so it doesn't seem reasonable to apply individual rate limits to them all, but if there is a straight forward way to do something like that I'd be happy to hear it. The source addresses are well known public resolvers that we shouldn't rate limit either. I'm wondering if there's any way to detect and apply a rule dynamically to respond to queries for one of these domains without affecting the source IP address entirely, and not require us to manually add a rule for each domain as it occurs. Any ideas would be appreciated. Take care, -Dan Dan McCombs Senior Engineer I - DNS dmcco...@digitalocean.com
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
