On 09/01/2024 09:50, Klaus Darilion wrote:
I fully agree, and we are working on having smarter mitigations in dnsdist to only drops/truncate/route to a different pool queries that are very likely to be part of a PRSD/enumeration attack.Do you already have ideas how to implement that? I have thought a lot about an algorithm to block only "bad" queries bad have not found a method yet.
We have been looking into several heuristics, like the entropy of the queries, and we are getting good results.
For authoritative nameservers, meanwhile I think it would be better to just load the attacked zone completely into dnsdist or pdns-cache (or something similar to aggressive caching). Because I think just answering (mostly NXDOMAIN) may be faster then deciding if a query is bad or good.
We have already deployed something like that for zones that are not DNSSEC-signed: dnsdist learns the content of the zone via XFR, send NXDOMAIN for names that do not exist and pass the remaining ones to the backend. I know some people have done it in a different way and load attacked zones into a LMDB PowerDNS, telling dnsdist to route queries for these zones to the LMDB PowerDNS server. Of course most of the difficulty lies in automated this, which is very specific to every setup.
-- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
