On Sat, Jul 07, 2018 at 03:49:16PM +0430, Hamed Haghshenas wrote: > I'm using PDNS Authoritative Server 4.1.3, today I see my server not > response and error or timeout on resolves .
Hi Hamed, What you can best do is install dnsdist and put it in front of your authoritative servers. Try this dnsdist.conf, assuming your auth server will listen on 127.0.0.1 and your current auth server IP is 1.2.3.4: newServer("127.0.0.1") setLocal("1.2.3.4") addAction(MaxQPSIPRule(10), DropAction()) This restricts each individual IP address to 10 queries per second. I also recommend you setup the internal webserver which will give you a good feel for what is going on, https://dnsdist.org/guides/webserver.html If you don't want to drop, you can also shift traffic to TCP which stops most attacks: addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction()) If this is not enough, you could use the EBPF kernel based limits as described in https://dnsdist.org/advanced/ebpf.html This allows you to filter like 20gbit/s of unwanted traffic if need be, but it does require a recent kernel. Good luck! > > When check the server see to many DNS requests from some IPs from Brazil > like DDOS attack. To fix errors and timeouts, I block the attacker subnet in > my firewall . > > > > Now could you please let me know how protect my server from DOS and DDOS > attacks ? > > > > Best Regards, > > > > Hamed Haghshenas > > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users