Hi Josh, The README it is everything that I have used so far
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md for a easy load balancing you can do it *dnsdist my.first.server.here my.second.server.here --daemon* Federico 2015-12-18 2:53 GMT+00:00 Josh Sanders <[email protected]>: > THANK YOU VERY MUCH! Federico. I will test them. > > I read your email about dnsdist > I would like to use it as load balancer between master/slave. > > Could you please recommend me a tutorial for dnsdist? > > Thanks again and have a nice day! > > Josh > > On Thu, Dec 17, 2015 at 4:08 AM, Federico Olivieri <[email protected]> > wrote: > >> Sure, >> >> First of all, we need to have a look to the hexadecimal values of a DNS >> ANY query packet. Below it is reported an example of a DNS query for >> www.facebook.com - ANY >> >> 21:45:17.159364 00:0f:34:ac:fa:49 > d0:50:99:53:f2:fc, ethertype IPv4 >> (0x0800), >> >> length >> 76: 192.168.0.2.44040 > 172.16.0.3.53: 29319+ ANY? www.facebook.com. (34) >> >> 0x0000: 4500 003e d702 0000 4011 36ef c0a8 0002 E..>[email protected]..... >> >> 0x0010: ac10 0003 ac08 0035 002a 7d19 7287 0100 .......5.*}.r... >> >> 0x0020: 0001 0000 0000 0000 0377 7777 0866 6163 .........www.fac >> >> 0x0030: 6562 6f6f 6b03 636f 6d00 00ff 0001 >> ebook.com..... >> >> >> Analyzing the hexadecimal of the trace, at the end of the packet we can >> notice the value 0x00ff0001 (corresponding to “.....” ASCI) that >> identifies the DNS query as type ANY. Thanks to that, iptables can analyze >> each DNS query packet, identifies those that are DNS query of type equal to >> ANY, have memory of the IP source that sends the ANY request, and temporary >> restrict the number of DNS ANY query for that specific IP address for a >> period of time. >> >> Let’s analyze and explain the iptables rules deployed on DNS Server: >> >> iptables -I INPUT 4 -p udp --dport 53 -m string --hex-string >> "|0000ff0001|" --algo bm -m recent --set --name dnsanyquery –rsource >> >> iptables -I INPUT 5 -p udp --dport 53 -m string --hex-string >> "|0000ff0001|" --algo bm -m recent --rcheck --seconds 60 --hitcount 5 >> --name dnsanyquery --rsource -j DROP >> >> First rule - from left to right: >> >> *iptables -I INPUT 4* --> configure an iptables rules on INPUT chain >> and place it on position 4 of the ACL >> >> -*p udp –dport 53* --> take in account UDP packet with destination port >> number 53 >> >> *-m string* --> use the iptables-extension module called “string” >> >> *--hex-string "|0000ff0001|" *--> The string to be matched inside the >> packet must correspond is the hexadecimal value of “0000ff0001” (that >> correspond at ANY DNS query type on the above tcpdump trace) >> >> *--algo bm* --> At those packets that match the above values, apply the >> Boyer-Moore algorithm >> >> *-m recent* --> Apply a second iptables-extension module called *recent*. >> Recent module allows to dynamically create a list of IP addresses and then >> match against that list in a few different ways. For example, you can >> create a "badguy" list out of people attempting to connect to port *xyz* >> on your firewall and then DROP all future packets from them without >> considering them. >> >> *--set --name dnsanyquery* --> At those packets, apply a list named >> *dnsanyquery* >> >> *–rsource *--> In *dnsanyquery *list save the source IP address for >> those packets that match the above rules >> >> >> >> Second rule – The first part is the same of the first rule *(iptables -I >> INPUT 5 -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm >> -m recent)* >> >> *--rcheck* --> Check if the source address of the packet is currently in >> the list (*dnsanyquery)* >> >> *--seconds 60 *-> This will narrow the match to only happen when the >> address is in the list and was seen within the last given number of seconds >> (60 seconds in this rule) >> >> *--hitcount 5 *-> This will narrow the match to only happen when the >> address is in the list and packets had been received greater than or equal >> to the given value (5 hits in this rule) >> >> *name dnsanyquery –rsource *-> Same meaning of the first rule >> >> *-j DROP *-> Drop the packets that match the value described in this >> iptable rule. >> >> Thanks to a bash script, we can convert the raw data of *dnsanyquery *list >> and find out which IP address (and when) sent more than 5 ANY queries in >> less than 60 seconds >> >> root@banana:/etc/my_scripts# ./recent_dns.sh >> >> 192.168.0.2........................................Tue Sep 29 22:36:15 >> BST 2015 >> >> >> 2015-12-17 0:33 GMT+00:00 Josh Sanders <[email protected]>: >> >>> Hello, Could you point me out in the right direction with a tutorial or >>> example about? >>> Thank you for your reply >>> >>> On Wed, Dec 16, 2015 at 5:11 PM, Federico Olivieri <[email protected]> >>> wrote: >>> >>>> Hi, have you tried with iptables? You can set the max ANY quries for >>>> IP and track the IP that ask for the ANY query >>>> On 16 Dec 2015 22:05, "Josh Sanders" <[email protected]> wrote: >>>> >>>>> Hello, >>>>> >>>>> I just set up PowerDNS and it works faultlessly: >>>>> pdns-static_3.4.7-1_amd64.deb >>>>> >>>>> But It keeps receiving 100s of ANY queries. >>>>> >>>>> PowerDNS/Bind Backend has zone: mydomain.com but It keeps receiving >>>>> ANY queries like those: >>>>> >>>>> Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = >>>>> 1680: packetcache MISS >>>>> Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = >>>>> 1680: packetcache MISS >>>>> Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = >>>>> 1680: packetcache MISS >>>>> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = >>>>> 1680: packetcache MISS >>>>> >>>>> I know how to block those ips with fail2ban but I would not like to >>>>> have 100s of iptables rules. >>>>> >>>>> Is there a way to block ANY queries? >>>>> >>>>> I mean like CloudFlare does: Please stop asking for ANY / See >>>>> draft-jabley-dnsop-refuse-any >>>>> >>>>> Also, I tried any-to-tcp=yes but it seems not working. >>>>> >>>>> Thanks >>>>> >>>>> _______________________________________________ >>>>> Pdns-users mailing list >>>>> [email protected] >>>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >>>>> >>>>> >>> >> >
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
