Hi Dan, On 08/01/2024 17:28, Dan McCombs via dnsdist wrote:
In our case we are affected as we use Pdns + DB backend as backend.Yep, that's exactly our case as well - our legacy Pdns + mysql backends don't handle this very well. Longer term we intend to move away from that, but finding some improvements in the meantime for handling these floods would be helpful. I'll let you know if we come up with anything interesting!
This is unfortunately a common issue indeed these days. It is possible to use dnsdist to detect and mitigate these attacks to a certain extent, using the StatNode API along with DynBlockRulesGroup:setSuffixMatchRule [1] or the FFI equivalent for better performance. It requires writing a bit of Lua code and some tuning on top of dnsdist, but all the building blocks are there already. We have implemented this for several customers and they are happy with the results.
Best regards,[1]: https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setSuffixMatchRule
-- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
