Hi,
Sorry, please ignore question 2, as suddenly these rules 6-7 appeared in the
web server view also. :)
Mart
Mart Pirita via dnsdist wrote:
> Hi,
>
> Our 2 x public authoritative DNS servers (vmware, 8 CPU, 16G RAM, BIND
> 9.18.28, about 700 zones) are constantly getting DDOS attacks. Despite
> allkind (increasing buffers, disabling firewall port 53 in/out tracking etc)
> BIND still gives during attack about 50K udp errors, even CPU and RAM usage
> are normal, so I'm currently testing dnsdist 1.9.6.
>
> I've browsed the last 2 years of mailing list archives and read the official
> docs, but still haven't figured out the best addLocal/newServer combination.
>
> So few questions:
>
> 1) What amount of addLocal/newServer I should use? First I tried 8 x
> addLocal/newServer for ipv4 and 8 x addLocal/newServer for ipv6, but CPU
> usage was very high, when using instead of using 2 x addLocal/newServer for
> ipv4 and 2 x addLocal/newServer for ipv6, then CPU usage is much lower,
> however the qps was same in both cases?
>
> 2) I'm using 3 in a row MaxQPSIPRules, but the first one is listed (as the
> last rule) on the web server:
> 5 (IP (/32, /64) match for QPS over 5 burst 5) && (UDP) tc=1 answer
>
> How can I see also the others there, as I’d like view there their matches
> also on the web server?
>
> Rules are there:
>
> showRules()
> 5 814105 (IP (/32, /64) match for QPS
> over 5 burst 5) && (UDP) tc=1 answer
> 6 254988 (IP (/32, /64) match for QPS
> over 10 burst 10) && (TCP) delay by 10 ms
> 7 45472 (IP (/32, /64) match for QPS
> over 20 burst 20) && (TCP) drop
>
> And getting hits:
>> topRules()
> # Name Matches Rule
> Action
> 0 805888 (IP (/32, /64) match for QPS
> over 5 burst 5) && (UDP) tc=1 answer
> 1 251769 (IP (/32, /64) match for QPS
> over 10 burst 10) && (TCP) delay by 10 ms
> 2 45387 (IP (/32, /64) match for QPS
> over 20 burst 20) && (TCP) drop
>
>
> 3) Can you give any tuning/configuration hints based my current config:
>
> setACL({'0.0.0.0/0', '::/0'})
> addLocal('127.0.0.1:53', { reusePort=true, tcpFastOpenQueueSize=100 })
> addLocal('x.x.x.x:53', { reusePort=true, tcpFastOpenQueueSize=100 })
> addLocal('[::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
> addLocal('[x::1]:53', { reusePort=true, tcpFastOpenQueueSize=100 })
> newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
> newServer({address="127.0.0.1:5353", tcpFastOpen=true, maxCheckFailures=5"})
> newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
> newServer({address="[::1]:5353", tcpFastOpen=true, maxCheckFailures=5"})
> setSecurityPollSuffix("")
> pc = newPacketCache(10000000, {maxTTL=86400, minTTL=0,
> temporaryFailureTTL=60, staleTTL=60, dontAge=false})
> getPool(""):setCache(pc)
> setRingBuffersSize(1000000, 100)
> setMaxTCPClientThreads(20)
> setMaxUDPOutstanding(65535)
> local secondaryServersACL = newNMG()
> secondaryServersACL:addMask("x.x.x.x")
> secondaryServersACL:addMask("x.x.x.x")
> addAction(AndRule({QTypeRule(DNSQType.AXFR),
> NetmaskGroupRule(secondaryServersACL)}), AllowAction())
> addAction(AndRule({QTypeRule(DNSQType.IXFR),
> NetmaskGroupRule(secondaryServersACL)}), AllowAction())
> addAction(NetmaskGroupRule(secondaryServersACL), AllowAction())
> addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update),
> QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
> RCodeAction(DNSRCode.REFUSED))
> addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.SERVFAIL))
> addAction(AndRule{MaxQPSIPRule(5), TCPRule(false)}, TCAction())
> addAction(AndRule{MaxQPSIPRule(10), TCPRule(true)}, DelayAction(10))
> addAction(AndRule{MaxQPSIPRule(20), TCPRule(true)}, DropAction())
> controlSocket("127.0.0.1")
> setKey('xxxx')
> webserver("x.x.x.x:8083")
> setWebserverConfig({password="xxxx"})
>
>
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
