Dan McCombs via dnsdist <dnsdist@mailman.powerdns.com> writes: > We've had on and off attacks recently targeting legitimate domains delegated > to our authoritative service flooding > queries for random subdomains of varying length and characters/words. i.e. > 12345.example.com, fred.example.com, > abc178371jd.example.com, where example.com is a different domain we're > authoritative for each attack.
That's usually called a pseudo random sub domain attack. It happens to all of us. > We have thousands of domains, so it doesn't seem reasonable to apply > individual rate limits to them all, but if > there is a straight forward way to do something like that I'd be happy to > hear it. The source addresses are well > known public resolvers that we shouldn't rate limit either. dnsdist doesn't really know which queries belongs to which zones, so it would be hard to implement a per domain rate limit. > I'm wondering if there's any way to detect and apply a rule dynamically to > respond to queries for one of these > domains without affecting the source IP address entirely, and not require us > to manually add a rule for each domain > as it occurs. Have you looked at https://dnsdist.org/guides/dynblocks.html ? It can dynamically block clients misbehaving, where you define what it means to be misbehaving. Best regards, Jacob _______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
