Hi,
Our 2 x public authoritative DNS servers (vmware, 8 CPU, 16G RAM, BIND 9.18.28,
about 700 zones) are constantly getting DDOS attacks. Despite allkind
(increasing buffers, disabling firewall port 53 in/out tracking etc) BIND still
gives during attack about 50K udp errors, even CPU and RAM usage are normal, so
I'm currently testing dnsdist 1.9.6.
I've browsed the last 2 years of mailing list archives and read the official
docs, but still haven't figured out the best addLocal/newServer combination.
So few questions:
1) What amount of addLocal/newServer I should use? First I tried 8 x
addLocal/newServer for ipv4 and 8 x addLocal/newServer for ipv6, but CPU usage
was very high, when using instead of using 2 x addLocal/newServer for ipv4 and
2 x addLocal/newServer for ipv6, then CPU usage is much lower, however the qps
was same in both cases?
2) I'm using 3 in a row MaxQPSIPRules, but the first one is listed (as the last
rule) on the web server:
5 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP) tc=1 answer
How can I see also the others there, as I’d like view there their matches also
on the web server?
Rules are there:
showRules()
5 814105 (IP (/32, /64) match for QPS over
5 burst 5) && (UDP) tc=1 answer
6 254988 (IP (/32, /64) match for QPS over
10 burst 10) && (TCP) delay by 10 ms
7 45472 (IP (/32, /64) match for QPS over
20 burst 20) && (TCP) drop
And getting hits:
> topRules()
# Name Matches Rule
Action
0 805888 (IP (/32, /64) match for QPS over
5 burst 5) && (UDP) tc=1 answer
1 251769 (IP (/32, /64) match for QPS over
10 burst 10) && (TCP) delay by 10 ms
2 45387 (IP (/32, /64) match for QPS over
20 burst 20) && (TCP) drop
3) Can you give any tuning/configuration hints based my current config:
setACL({'0.0.0.0/0', '::/0'})
addLocal('127.0.0.1:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('x.x.x.x:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('[::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
addLocal('[x::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
setSecurityPollSuffix("")
pc = newPacketCache(10000000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60,
staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
setRingBuffersSize(1000000, 100)
setMaxTCPClientThreads(20)
setMaxUDPOutstanding(65535)
local secondaryServersACL = newNMG()
secondaryServersACL:addMask("x.x.x.x")
secondaryServersACL:addMask("x.x.x.x")
addAction(AndRule({QTypeRule(DNSQType.AXFR),
NetmaskGroupRule(secondaryServersACL)}), AllowAction())
addAction(AndRule({QTypeRule(DNSQType.IXFR),
NetmaskGroupRule(secondaryServersACL)}), AllowAction())
addAction(NetmaskGroupRule(secondaryServersACL), AllowAction())
addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update),
QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
RCodeAction(DNSRCode.REFUSED))
addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.SERVFAIL))
addAction(AndRule{MaxQPSIPRule(5), TCPRule(false)}, TCAction())
addAction(AndRule{MaxQPSIPRule(10), TCPRule(true)}, DelayAction(10))
addAction(AndRule{MaxQPSIPRule(20), TCPRule(true)}, DropAction())
controlSocket("127.0.0.1")
setKey('xxxx')
webserver("x.x.x.x:8083")
setWebserverConfig({password="xxxx"})
--
Mart
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
