Hello Frank,
Well.
I have (i think) a small network this was my first attack in 24 years
Yesterday I found that one domain was hit a lot so I blocked that one and after
that spoofed it.
But that was when nawas already was running.
LMDB was something that I didn’t hear of.
All entrys comes from a central mariadb that is connected with my client portal
so I have to look in to that how that works.
I started after the first attack to use pools so I can find out what ip was
attacked.
Here is my config below only vip1 but I have multiple ips setup
this gives me on the webinterface the output to see what ip is hit.
But I think that with this setup I have to add for the other pdns servers all
new lines like
newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })
newServer({address="ip2:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })
newServer({address="ip3:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })
====================
dns_vip1 = newNMG()
dns_vip1:addMask('46.182.xxx.xxx/32')
dns_vip1b = newNMG()
dns_vip1b:addMask('2a00:1bd0:xxxx')
newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ipv4-xxx" })
newServer({address="127.0.0.1:5300", name="ns2.xxx", order=1, pool="ip6-xxx" })
cache1 = newPacketCache(50000, { keepStaleData=true, maxTTL=86400,
minTTL=0, numberOfShards=4, maxNegativeTTL=600, staleTTL=180 })
getPool("ipv4-xxxx"):setCache(cache1)
getPool("ip6-xxx"):setCache(cache1)
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR),
OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update)}),
RCodeAction(DNSRCode.REFUSED))
local dbr = dynBlockRulesGroup()
--- Create a dynamic block rule for overall queries/second allowed
dbr:setQueryRate(
---- The number of queries/second to rate limit at
150,
---- Set the measurement period over the last 10 seconds
10,
---- Log the action to syslog
"Exceeded query rate limit",
---- Add the block for 120 seconds
120
)
--- Create a dynamic block rule to block queries that have resulted in a
NXDOMAIN response
dbr:setRCodeRate(
---- Match the NXDOMAIN response
DNSRCode.NXDOMAIN,
---- The number of queries/second to rate limit at
75,
---- Set the measurement period over the last 10 seconds
10,
---- Log the action to syslog
"Exceeded NXD response rate",
---- Add the block for 120 seconds
120
)
--- Create a dynamic block rule to block inbound queries/second from hosts of
the ANY type
dbr:setQTypeRate(
---- Match the ANY query type
DNSQType.ANY,
---- The number of queries/second to rate limit at
50,
---- Set the measurement period over the last 10 seconds
---- Set the measurement period over the last 10 seconds
10,
---- Log the action to syslog
"Exceeded ANY rate",
---- Add the block for 120 seconds
120
)
-- https://dnsdist.org/rules-actions.html
-- slow down if more then 50 from one ip
addAction(MaxQPSIPRule(20, 32, 48), DelayAction(100))
-- https://powerdns.org/dnsdist-md/dnsdist-diagrams.md.html
pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60,
staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
setStaleCacheEntriesTTL(3600)
-- Limit /24's on IPv4 and /64's on IPv6 to 5 QPS
addAction(MaxQPSIPRule(4, 32, 48), DropAction())
function maintenance()
-- Get the addresses that had more than 20 NXDOMAINs in the last 10
seconds
addresses = exceedNXDOMAINS(10, 20)
-- Block the addresses for a minute
addDynBlocks(addresses, "Exceeded NXDomain", 60)
end
addAction(NetmaskGroupRule(dns_vip1, false), PoolAction('ipv4-xxx'))
addAction(NetmaskGroupRule(dns_vip1b, false), PoolAction('ip6-xxx'))
for
Van: Frank @ Kiwazo <fr...@kiwazo.com>
Verzonden: donderdag 27 februari 2025 11:35
Aan: mailingl...@tikklik.nl
CC: dnsdist mailing list <dnsdist@mailman.powerdns.com>
Onderwerp: Re: [dnsdist] advice needed
Hi Steffan,
[NL]Geen probleem, we verstaan je :) Voor veel mensen hier is Engels niet de
eerste taal[/NL]
Do you have more information on the attack? Was it against one particular
domain? Random subdomain attack?
There are a few things you could do, but it all depends on the type of the
attack.
- On dnsdist, add Dynamic block rules
https://www.dnsdist.org/guides/dynblocks.html. This allows you to block clients
that e.g. generate a lot queries which result in an NXDomain, or just to rate
limiting (but be careful with rate limiting legitimate resolvers)
- If this was a distributed random subdomain attack, it's quite hard to block
those. At the time of the attack, you could block the attacked domain in
dnsdist, preventing the queries from going to your backend infrastructure.
- In general, MySQL / PostgreSQL backends suffer a lot from the random
subdomain attacks :( A faster backend like LMDB can handle 10x or even 100x
more qps. So consider moving to one of those faster backends.
Best of luck fighting the bad folk!
Frank
Frank Louwers
Kiwazo
e: he...@kiwazo.be <mailto:he...@kiwazo.be>
m: +32 475 66 57 57
On 27 Feb 2025, at 11:20, Steffan via dnsdist <dnsdist@mailman.powerdns.com
<mailto:dnsdist@mailman.powerdns.com> > wrote:
Hello All,
I had the following setup:
server ns1:
Dnsdist -> 127.0.0.1 pdns
sql backend replicated database
Server ns2:
DNSdist -> 127.0.0.1 pdns sql backend replicated database
Last week I was attacked 3 times.
Flooding my system
yesterday 53 miljioen hits in 10 minutes
Im now on nawas DDOs temperarly
That was the online way to stop it.
I now splitted my DNS server (multiple resellers)
and the above setup is now 3 times so separate the load.
The question…
What is the best way now
keep this setup
- 6x dnsdist
- 6 different ns servers
Or should I use one dnsdist that connects tyo the 6 dns servers for load
balancing
My idee was to keep this setup and then let all 6 dnsdist connect to the 6
servers so if there are problems I can remove a dns from one of the 6
But how to do that without exposing pdns to the public
Sorry im dutch 😊
Hope I made myself clear
With regards
Steffan
_______________________________________________
dnsdist mailing list
<mailto:dnsdist@mailman.powerdns.com> dnsdist@mailman.powerdns.com
<https://mailman.powerdns.com/mailman/listinfo/dnsdist>
https://mailman.powerdns.com/mailman/listinfo/dnsdist
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
